/************************************************************************************
*
*  (C) COPYRIGHT AUTHORS, 2015 - 2017, translated from Microsoft sources/debugger
*
*  TITLE:       NTOS.H
*
*  VERSION:     1.74
*
*  DATE:        01 Dec 2017
*
*  Common header file for the ntos API functions and definitions.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
************************************************************************************/

#pragma comment(lib, "ntdll.lib")

#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int

#define IN_REGION(x, Base, Size) (((ULONG_PTR)x >= (ULONG_PTR)Base) && ((ULONG_PTR)x <= (ULONG_PTR)Base + (ULONG_PTR)Size))

#define ALIGN_DOWN(count,size) \
            ((ULONG_PTR)(count) & ~((ULONG_PTR)(size) - 1))

#define ALIGN_UP(count,size) \
            (ALIGN_DOWN( (ULONG_PTR)(count)+(ULONG_PTR)(size)-1, (ULONG_PTR)(size) ))

#define ARGUMENT_PRESENT(ArgumentPointer)    (\
    (CHAR *)((ULONG_PTR)(ArgumentPointer)) != (CHAR *)(NULL) )

//Access Rights

#define CALLBACK_MODIFY_STATE    0x0001
#define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE )

#define DEBUG_READ_EVENT        (0x0001)
#define DEBUG_PROCESS_ASSIGN    (0x0002)
#define DEBUG_SET_INFORMATION   (0x0004)
#define DEBUG_QUERY_INFORMATION (0x0008)
#define DEBUG_ALL_ACCESS     (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|DEBUG_READ_EVENT|DEBUG_PROCESS_ASSIGN|\
                              DEBUG_SET_INFORMATION|DEBUG_QUERY_INFORMATION)

#define DIRECTORY_QUERY                 (0x0001)
#define DIRECTORY_TRAVERSE              (0x0002)
#define DIRECTORY_CREATE_OBJECT         (0x0004)
#define DIRECTORY_CREATE_SUBDIRECTORY   (0x0008)
#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)

#define EVENT_QUERY_STATE       0x0001
#define EVENT_MODIFY_STATE      0x0002  
#define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) 

#define EVENT_PAIR_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE)

#define IO_COMPLETION_QUERY_STATE   0x0001
#define IO_COMPLETION_MODIFY_STATE  0x0002  
#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) 

#define KEYEDEVENT_WAIT 0x0001
#define KEYEDEVENT_WAKE 0x0002
#define KEYEDEVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | KEYEDEVENT_WAIT | KEYEDEVENT_WAKE)

#define MUTANT_QUERY_STATE      0x0001
#define MUTANT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|MUTANT_QUERY_STATE)

#define PORT_CONNECT (0x0001)
#define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1)

#define PROFILE_CONTROL (0x0001)
#define PROFILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | PROFILE_CONTROL)

#define SEMAPHORE_QUERY_STATE       0x0001
#define SEMAPHORE_MODIFY_STATE      0x0002 
#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)

#define SYMBOLIC_LINK_QUERY (0x0001)
#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)

#define THREAD_ALERT	(0x0004)

#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 
#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 
#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 
#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080

#define WORKER_FACTORY_RELEASE_WORKER 0x0001
#define WORKER_FACTORY_WAIT 0x0002
#define WORKER_FACTORY_SET_INFORMATION 0x0004
#define WORKER_FACTORY_QUERY_INFORMATION 0x0008
#define WORKER_FACTORY_READY_WORKER 0x0010
#define WORKER_FACTORY_SHUTDOWN 0x0020

#define OBJECT_TYPE_CREATE (0x0001)
#define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)

#define WMIGUID_QUERY                 0x0001
#define WMIGUID_SET                   0x0002
#define WMIGUID_NOTIFICATION          0x0004
#define WMIGUID_READ_DESCRIPTION      0x0008
#define WMIGUID_EXECUTE               0x0010
#define TRACELOG_CREATE_REALTIME      0x0020
#define TRACELOG_CREATE_ONDISK        0x0040
#define TRACELOG_GUID_ENABLE          0x0080
#define TRACELOG_ACCESS_KERNEL_LOGGER 0x0100
#define TRACELOG_CREATE_INPROC        0x0200
#define TRACELOG_ACCESS_REALTIME      0x0400
#define TRACELOG_REGISTER_GUIDS       0x0800

//
// Partition Specific Access Rights.
//

#define MEMORY_PARTITION_QUERY_ACCESS  0x0001
#define MEMORY_PARTITION_MODIFY_ACCESS 0x0002

#define MEMORY_PARTITION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |         \
                                     SYNCHRONIZE |                      \
                                     MEMORY_PARTITION_QUERY_ACCESS |    \
                                     MEMORY_PARTITION_MODIFY_ACCESS)


//
// NtCreateProcessEx specific flags.
//
#define PS_REQUEST_BREAKAWAY        1
#define PS_NO_DEBUG_INHERIT         2
#define PS_INHERIT_HANDLES          4
#define PS_LARGE_PAGES              8
#define PS_ALL_FLAGS                (PS_REQUEST_BREAKAWAY | \
                                     PS_NO_DEBUG_INHERIT  | \
                                     PS_INHERIT_HANDLES   | \
                                     PS_LARGE_PAGES)

#define NtCurrentThread() ( (HANDLE)(LONG_PTR) -2 )
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
#define ZwCurrentProcess() NtCurrentProcess()
#define ZwCurrentThread()	 NtCurrentThread()

//
// Define special ByteOffset parameters for read and write operations
//

#define FILE_WRITE_TO_END_OF_FILE       0xffffffff
#define FILE_USE_FILE_POINTER_POSITION  0xfffffffe

//
// This is the maximum MaximumLength for a UNICODE_STRING.
//

#define MAXUSHORT   0xffff     
#define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) )

typedef struct _EX_RUNDOWN_REF
{
    union
    {
        ULONG Count;
        PVOID Ptr;
    };
} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;

typedef struct _UNICODE_STRING {
	USHORT Length;
	USHORT MaximumLength;
	PWSTR  Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;

typedef struct _STRING
{
	USHORT Length;
	USHORT MaximumLength;
	PCHAR Buffer;
} STRING;
typedef STRING *PSTRING;

typedef STRING ANSI_STRING;
typedef PSTRING PANSI_STRING;

typedef STRING OEM_STRING;
typedef PSTRING POEM_STRING;
typedef CONST STRING* PCOEM_STRING;
typedef CONST char *PCSZ;

typedef struct _CSTRING
{
	USHORT Length;
	USHORT MaximumLength;
	CONST char *Buffer;
} CSTRING;
typedef CSTRING *PCSTRING;
#define ANSI_NULL ((CHAR)0)

typedef STRING CANSI_STRING;
typedef PSTRING PCANSI_STRING;

typedef struct _OBJECT_ATTRIBUTES {
	ULONG Length;
	HANDLE RootDirectory;
	PUNICODE_STRING ObjectName;
	ULONG Attributes;
	PVOID SecurityDescriptor;
	PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;

typedef struct _IO_STATUS_BLOCK {
	union {
		NTSTATUS Status;
		PVOID Pointer;
	} DUMMYUNIONNAME;

	ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

/*
** Semaphore START
*/

#ifndef _SEMAPHORE_INFORMATION_CLASS
typedef enum _SEMAPHORE_INFORMATION_CLASS {
	SemaphoreBasicInformation
} SEMAPHORE_INFORMATION_CLASS;
#endif

#ifndef _SEMAPHORE_BASIC_INFORMATION
typedef struct _SEMAPHORE_BASIC_INFORMATION {
	LONG CurrentCount;
	LONG MaximumCount;
} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;
#endif

/*
** Semaphore END
*/

/*
** Kernel Debugger START
*/

typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
    BOOLEAN KernelDebuggerEnabled;
    BOOLEAN KernelDebuggerNotPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;

/*
** Kernel Debugger END
*/

/*
** FileCache and MemoryList START
*/

typedef enum _SYSTEM_MEMORY_LIST_COMMAND {
	MemoryCaptureAccessedBits,
	MemoryCaptureAndResetAccessedBits,
	MemoryEmptyWorkingSets,
	MemoryFlushModifiedList,
	MemoryPurgeStandbyList,
	MemoryPurgeLowPriorityStandbyList,
	MemoryCommandMax
} SYSTEM_MEMORY_LIST_COMMAND;

typedef struct _SYSTEM_FILECACHE_INFORMATION {
	SIZE_T CurrentSize;
	SIZE_T PeakSize;
	ULONG PageFaultCount;
	SIZE_T MinimumWorkingSet;
	SIZE_T MaximumWorkingSet;
	SIZE_T CurrentSizeIncludingTransitionInPages;
	SIZE_T PeakSizeIncludingTransitionInPages;
	ULONG TransitionRePurposeCount;
	ULONG Flags;
} SYSTEM_FILECACHE_INFORMATION, *PSYSTEM_FILECACHE_INFORMATION;

/*
** FileCache and MemoryList END
*/

/*
** Processes START
*/

typedef struct _SYSTEM_TIMEOFDAY_INFORMATION {
    LARGE_INTEGER BootTime;
    LARGE_INTEGER CurrentTime;
    LARGE_INTEGER TimeZoneBias;
    ULONG TimeZoneId;
    ULONG Reserved;
    ULONGLONG BootTimeBias;
    ULONGLONG SleepTimeBias;
} SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION;

#ifndef KPRIORITY
typedef LONG KPRIORITY;
#endif

typedef enum _THREAD_STATE {
	StateInitialized,
	StateReady,
	StateRunning,
	StateStandby,
	StateTerminated,
	StateWait,
	StateTransition,
	StateUnknown
} THREAD_STATE;

typedef enum _KWAIT_REASON {
	Executive,
	FreePage,
	PageIn,
	PoolAllocation,
	DelayExecution,
	Suspended,
	UserRequest,
	WrExecutive,
	WrFreePage,
	WrPageIn,
	WrPoolAllocation,
	WrDelayExecution,
	WrSuspended,
	WrUserRequest,
	WrEventPair,
	WrQueue,
	WrLpcReceive,
	WrLpcReply,
	WrVirtualMemory,
	WrPageOut,
	WrRendezvous,
	WrKeyedEvent,
	WrTerminated,
	WrProcessInSwap,
	WrCpuRateControl,
	WrCalloutStack,
	WrKernel,
	WrResource,
	WrPushLock,
	WrMutex,
	WrQuantumEnd,
	WrDispatchInt,
	WrPreempted,
	WrYieldExecution,
	WrFastMutex,
	WrGuardedMutex,
	WrRundown,
	MaximumWaitReason
} KWAIT_REASON;

typedef VOID KSTART_ROUTINE(
	_In_ PVOID StartContext
	);
typedef KSTART_ROUTINE *PKSTART_ROUTINE;

typedef struct _CLIENT_ID {
	HANDLE UniqueProcess;
	HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;

typedef struct _CLIENT_ID64 {
	ULONG64 UniqueProcess;
	ULONG64 UniqueThread;
} CLIENT_ID64, *PCLIENT_ID64;

typedef struct _CLIENT_ID32 {
	ULONG32 UniqueProcess;
	ULONG32 UniqueThread;
} CLIENT_ID32, *PCLIENT_ID32;

typedef struct _VM_COUNTERS {
	SIZE_T PeakVirtualSize;
	SIZE_T VirtualSize;
	ULONG PageFaultCount;
	SIZE_T PeakWorkingSetSize;
	SIZE_T WorkingSetSize;
	SIZE_T QuotaPeakPagedPoolUsage;
	SIZE_T QuotaPagedPoolUsage;
	SIZE_T QuotaPeakNonPagedPoolUsage;
	SIZE_T QuotaNonPagedPoolUsage;
	SIZE_T PagefileUsage;
	SIZE_T PeakPagefileUsage;
	SIZE_T PrivatePageCount;
} VM_COUNTERS;

typedef struct _SYSTEM_THREAD_INFORMATION {
	LARGE_INTEGER   KernelTime;
	LARGE_INTEGER   UserTime;
	LARGE_INTEGER   CreateTime;
	ULONG           WaitTime;
	PVOID           StartAddress;
	CLIENT_ID       ClientId;
	KPRIORITY       Priority;
	KPRIORITY       BasePriority;
	ULONG           ContextSwitchCount;
	THREAD_STATE    State;
	KWAIT_REASON    WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;

typedef struct _SYSTEM_PROCESSES_INFORMATION {
	ULONG NextEntryDelta;
	ULONG ThreadCount;
	LARGE_INTEGER SpareLi1;
	LARGE_INTEGER SpareLi2;
	LARGE_INTEGER SpareLi3;
	LARGE_INTEGER CreateTime;
	LARGE_INTEGER UserTime;
	LARGE_INTEGER KernelTime;
	UNICODE_STRING ImageName;
	KPRIORITY BasePriority;
	HANDLE UniqueProcessId;
	HANDLE InheritedFromUniqueProcessId;
	ULONG HandleCount;
	ULONG SessionId;
	ULONG_PTR PageDirectoryBase;
	VM_COUNTERS VmCounters;
	IO_COUNTERS IoCounters;
	SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION;

#if defined(_WIN64)
typedef ULONG SYSINF_PAGE_COUNT;
#else
typedef SIZE_T SYSINF_PAGE_COUNT;
#endif

typedef struct _SYSTEM_BASIC_INFORMATION {
	ULONG Reserved;
	ULONG TimerResolution;
	ULONG PageSize;
	SYSINF_PAGE_COUNT NumberOfPhysicalPages;
	SYSINF_PAGE_COUNT LowestPhysicalPageNumber;
	SYSINF_PAGE_COUNT HighestPhysicalPageNumber;
	ULONG AllocationGranularity;
	ULONG_PTR MinimumUserModeAddress;
	ULONG_PTR MaximumUserModeAddress;
	ULONG_PTR ActiveProcessorsAffinityMask;
	CCHAR NumberOfProcessors;
} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;

typedef enum _PROCESSINFOCLASS {
	ProcessBasicInformation = 0,
	ProcessQuotaLimits = 1,
	ProcessIoCounters = 2,
	ProcessVmCounters = 3,
	ProcessTimes = 4,
	ProcessBasePriority = 5,
	ProcessRaisePriority = 6,
	ProcessDebugPort = 7,
	ProcessExceptionPort = 8,
	ProcessAccessToken = 9,
	ProcessLdtInformation = 10,
	ProcessLdtSize = 11,
	ProcessDefaultHardErrorMode = 12,
	ProcessIoPortHandlers = 13,
	ProcessPooledUsageAndLimits = 14,
	ProcessWorkingSetWatch = 15,
	ProcessUserModeIOPL = 16,
	ProcessEnableAlignmentFaultFixup = 17,
	ProcessPriorityClass = 18,
	ProcessWx86Information = 19,
	ProcessHandleCount = 20,
	ProcessAffinityMask = 21,
	ProcessPriorityBoost = 22,
	ProcessDeviceMap = 23,
	ProcessSessionInformation = 24,
	ProcessForegroundInformation = 25,
	ProcessWow64Information = 26,
	ProcessImageFileName = 27,
	ProcessLUIDDeviceMapsEnabled = 28,
	ProcessBreakOnTermination = 29,
	ProcessDebugObjectHandle = 30,
	ProcessDebugFlags = 31,
	ProcessHandleTracing = 32,
	ProcessIoPriority = 33,
	ProcessExecuteFlags = 34,
	ProcessTlsInformation = 35,
	ProcessCookie = 36,
	ProcessImageInformation = 37,
	ProcessCycleTime = 38,
	ProcessPagePriority = 39,
	ProcessInstrumentationCallback = 40,
	ProcessThreadStackAllocation = 41,
	ProcessWorkingSetWatchEx = 42,
	ProcessImageFileNameWin32 = 43,
	ProcessImageFileMapping = 44,
	ProcessAffinityUpdateMode = 45,
	ProcessMemoryAllocationMode = 46,
	ProcessGroupInformation = 47,
	ProcessTokenVirtualizationEnabled = 48,
	ProcessOwnerInformation = 49,
	ProcessWindowInformation = 50,
	ProcessHandleInformation = 51,
	ProcessMitigationPolicy = 52,
	ProcessDynamicFunctionTableInformation = 53,
	ProcessHandleCheckingMode = 54,
	ProcessKeepAliveCount = 55,
	ProcessRevokeFileHandles = 56,
	ProcessWorkingSetControl = 57,
	ProcessHandleTable = 58,
	ProcessCheckStackExtentsMode = 59,
	ProcessCommandLineInformation = 60,
	ProcessProtectionInformation = 61,
	MaxProcessInfoClass = 62
} PROCESSINFOCLASS;

typedef enum _THREADINFOCLASS {
	ThreadBasicInformation,
	ThreadTimes,
	ThreadPriority,
	ThreadBasePriority,
	ThreadAffinityMask,
	ThreadImpersonationToken,
	ThreadDescriptorTableEntry,
	ThreadEnableAlignmentFaultFixup,
	ThreadEventPair,
	ThreadQuerySetWin32StartAddress,
	ThreadZeroTlsCell,
	ThreadPerformanceCount,
	ThreadAmILastThread,
	ThreadIdealProcessor,
	ThreadPriorityBoost,
	ThreadSetTlsArrayAddress,
	ThreadIsIoPending,
	ThreadHideFromDebugger,
	ThreadBreakOnTermination,
	ThreadSwitchLegacyState,
	ThreadIsTerminated,
	ThreadLastSystemCall,
	ThreadIoPriority,
	ThreadCycleTime,
	ThreadPagePriority,
	ThreadActualBasePriority,
	ThreadTebInformation,
	ThreadCSwitchMon,
	ThreadCSwitchPmu,
	ThreadWow64Context,
	ThreadGroupInformation,
	ThreadUmsInformation,
	ThreadCounterProfiling,
	ThreadIdealProcessorEx,
	ThreadCpuAccountingInformation,
	ThreadSuspendCount,
	ThreadHeterogeneousCpuPolicy,
	ThreadContainerId,
	ThreadNameInformation,
	ThreadProperty,
	ThreadSelectedCpuSets,
	ThreadSystemThreadInformation,
	MaxThreadInfoClass
} THREADINFOCLASS;

typedef struct _PROCESS_BASIC_INFORMATION {
	NTSTATUS ExitStatus;
	PVOID PebBaseAddress;
	ULONG_PTR AffinityMask;
	KPRIORITY BasePriority;
	ULONG_PTR UniqueProcessId;
	ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;

typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION {
	SIZE_T Size;
	PROCESS_BASIC_INFORMATION BasicInfo;
	union
	{
		ULONG Flags;
		struct
		{
			ULONG IsProtectedProcess : 1;
			ULONG IsWow64Process : 1;
			ULONG IsProcessDeleting : 1;
			ULONG IsCrossSessionCreate : 1;
			ULONG IsFrozen : 1;
			ULONG IsBackground : 1;
			ULONG IsStronglyNamed : 1;
			ULONG SpareBits : 25;
		} DUMMYSTRUCTNAME;
	} DUMMYUNIONNAME;
} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;

typedef struct _PROCESS_ACCESS_TOKEN {
    HANDLE Token;
    HANDLE Thread;
} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;

//thanks to wj32 headers

typedef enum _PS_CREATE_STATE {
    PsCreateInitialState,
    PsCreateFailOnFileOpen,
    PsCreateFailOnSectionCreate,
    PsCreateFailExeFormat,
    PsCreateFailMachineMismatch,
    PsCreateFailExeName, 
    PsCreateSuccess,
    PsCreateMaximumStates
} PS_CREATE_STATE;

typedef struct _PS_CREATE_INFO {
    SIZE_T Size;
    PS_CREATE_STATE State;
    union
    {
        struct
        {
            union
            {
                ULONG InitFlags;
                struct
                {
                    UCHAR WriteOutputOnExit : 1;
                    UCHAR DetectManifest : 1;
                    UCHAR IFEOSkipDebugger : 1;
                    UCHAR IFEODoNotPropagateKeyState : 1;
                    UCHAR SpareBits1 : 4;
                    UCHAR SpareBits2 : 8;
                    USHORT ProhibitedImageCharacteristics : 16;
                };
            };
            ACCESS_MASK AdditionalFileAccess;
        } InitState;

        struct
        {
            HANDLE FileHandle;
        } FailSection;

        struct
        {
            USHORT DllCharacteristics;
        } ExeFormat;

        struct
        {
            HANDLE IFEOKey;
        } ExeName;

        struct
        {
            union
            {
                ULONG OutputFlags;
                struct
                {
                    UCHAR ProtectedProcess : 1;
                    UCHAR AddressSpaceOverride : 1;
                    UCHAR DevOverrideEnabled : 1; 
                    UCHAR ManifestDetected : 1;
                    UCHAR ProtectedProcessLight : 1;
                    UCHAR SpareBits1 : 3;
                    UCHAR SpareBits2 : 8;
                    USHORT SpareBits3 : 16;
                };
            };
            HANDLE FileHandle;
            HANDLE SectionHandle;
            ULONGLONG UserProcessParametersNative;
            ULONG UserProcessParametersWow64;
            ULONG CurrentParameterFlags;
            ULONGLONG PebAddressNative;
            ULONG PebAddressWow64;
            ULONGLONG ManifestAddress;
            ULONG ManifestSize;
        } SuccessState;
    };
} PS_CREATE_INFO, *PPS_CREATE_INFO;

typedef struct _PS_ATTRIBUTE
{
    ULONG Attribute;
    SIZE_T Size;
    union
    {
        ULONG Value;
        PVOID ValuePtr;
    };
    PSIZE_T ReturnLength;
} PS_ATTRIBUTE, *PPS_ATTRIBUTE;

typedef struct _PS_ATTRIBUTE_LIST
{
    SIZE_T TotalLength;
    PS_ATTRIBUTE Attributes[1];
} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;

typedef enum _PS_PROTECTED_TYPE
{
    PsProtectedTypeNone,
    PsProtectedTypeProtectedLight,
    PsProtectedTypeProtected,
    PsProtectedTypeMax
} PS_PROTECTED_TYPE;

typedef enum _PS_PROTECTED_SIGNER
{
    PsProtectedSignerNone,
    PsProtectedSignerAuthenticode,
    PsProtectedSignerCodeGen,
    PsProtectedSignerAntimalware,
    PsProtectedSignerLsa,
    PsProtectedSignerWindows,
    PsProtectedSignerWinTcb,
    PsProtectedSignerMax
} PS_PROTECTED_SIGNER;

typedef struct _PS_PROTECTION
{
    union
    {
        UCHAR Level;
        struct
        {
            UCHAR Type : 3;
            UCHAR Audit : 1;
            UCHAR Signer : 4;
        };
    };
} PS_PROTECTION, *PPS_PROTECTION;

// begin_rev
#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff
#define PS_ATTRIBUTE_THREAD 0x00010000 
#define PS_ATTRIBUTE_INPUT 0x00020000 
#define PS_ATTRIBUTE_ADDITIVE 0x00040000 
// end_rev

typedef enum _PS_ATTRIBUTE_NUM {
    PsAttributeParentProcess, 
    PsAttributeDebugPort, 
    PsAttributeToken, 
    PsAttributeClientId, 
    PsAttributeTebAddress, 
    PsAttributeImageName, 
    PsAttributeImageInfo, 
    PsAttributeMemoryReserve,
    PsAttributePriorityClass, 
    PsAttributeErrorMode, 
    PsAttributeStdHandleInfo, 
    PsAttributeHandleList,
    PsAttributeGroupAffinity, 
    PsAttributePreferredNode, 
    PsAttributeIdealProcessor,
    PsAttributeUmsThread,
    PsAttributeMitigationOptions, 
    PsAttributeProtectionLevel,
    PsAttributeSecureProcess, 
    PsAttributeJobList,
    PsAttributeMax
} PS_ATTRIBUTE_NUM;

#define PsAttributeValue(Number, Thread, Input, Unknown) \
    (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
    ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
    ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
    ((Unknown) ? PS_ATTRIBUTE_ADDITIVE : 0))

#define PS_ATTRIBUTE_PARENT_PROCESS \
    PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_DEBUG_PORT \
    PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_TOKEN \
    PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_CLIENT_ID \
    PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE)
#define PS_ATTRIBUTE_TEB_ADDRESS \
    PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE)
#define PS_ATTRIBUTE_IMAGE_NAME \
    PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_IMAGE_INFO \
    PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE)
#define PS_ATTRIBUTE_MEMORY_RESERVE \
    PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_PRIORITY_CLASS \
    PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_ERROR_MODE \
    PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_STD_HANDLE_INFO \
    PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_HANDLE_LIST \
    PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_GROUP_AFFINITY \
    PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE)
#define PS_ATTRIBUTE_PREFERRED_NODE \
    PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_IDEAL_PROCESSOR \
    PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE)
#define PS_ATTRIBUTE_MITIGATION_OPTIONS \
    PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE)


#define RTL_USER_PROC_PARAMS_NORMALIZED     0x00000001
#define RTL_USER_PROC_PROFILE_USER          0x00000002
#define RTL_USER_PROC_PROFILE_KERNEL        0x00000004
#define RTL_USER_PROC_PROFILE_SERVER        0x00000008
#define RTL_USER_PROC_RESERVE_1MB           0x00000020
#define RTL_USER_PROC_RESERVE_16MB          0x00000040
#define RTL_USER_PROC_CASE_SENSITIVE        0x00000080
#define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100
#define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000
#define RTL_USER_PROC_APP_MANIFEST_PRESENT  0x00002000
#define RTL_USER_PROC_IMAGE_KEY_MISSING     0x00004000
#define RTL_USER_PROC_OPTIN_PROCESS         0x00020000

/*
** Processes END
*/

#ifndef _SYSTEM_INFORMATION_CLASS
typedef enum _SYSTEM_INFORMATION_CLASS
{
	SystemBasicInformation = 0,
	SystemProcessorInformation = 1,
	SystemPerformanceInformation = 2,
	SystemTimeOfDayInformation = 3,
	SystemPathInformation = 4,
	SystemProcessInformation = 5,
	SystemCallCountInformation = 6,
	SystemDeviceInformation = 7,
	SystemProcessorPerformanceInformation = 8,
	SystemFlagsInformation = 9,
	SystemCallTimeInformation = 10,
	SystemModuleInformation = 11,
	SystemLocksInformation = 12,
	SystemStackTraceInformation = 13,
	SystemPagedPoolInformation = 14,
	SystemNonPagedPoolInformation = 15,
	SystemHandleInformation = 16,
	SystemObjectInformation = 17,
	SystemPageFileInformation = 18,
	SystemVdmInstemulInformation = 19,
	SystemVdmBopInformation = 20,
	SystemFileCacheInformation = 21,
	SystemPoolTagInformation = 22,
	SystemInterruptInformation = 23,
	SystemDpcBehaviorInformation = 24,
	SystemFullMemoryInformation = 25,
	SystemLoadGdiDriverInformation = 26,
	SystemUnloadGdiDriverInformation = 27,
	SystemTimeAdjustmentInformation = 28,
	SystemSummaryMemoryInformation = 29,
	SystemMirrorMemoryInformation = 30,
	SystemPerformanceTraceInformation = 31,
	SystemObsolete0 = 32,
	SystemExceptionInformation = 33,
	SystemCrashDumpStateInformation = 34,
	SystemKernelDebuggerInformation = 35,
	SystemContextSwitchInformation = 36,
	SystemRegistryQuotaInformation = 37,
	SystemExtendServiceTableInformation = 38,
	SystemPrioritySeperation = 39,
	SystemVerifierAddDriverInformation = 40,
	SystemVerifierRemoveDriverInformation = 41,
	SystemProcessorIdleInformation = 42,
	SystemLegacyDriverInformation = 43,
	SystemCurrentTimeZoneInformation = 44,
	SystemLookasideInformation = 45,
	SystemTimeSlipNotification = 46,
	SystemSessionCreate = 47,
	SystemSessionDetach = 48,
	SystemSessionInformation = 49,
	SystemRangeStartInformation = 50,
	SystemVerifierInformation = 51,
	SystemVerifierThunkExtend = 52,
	SystemSessionProcessInformation = 53,
	SystemLoadGdiDriverInSystemSpace = 54,
	SystemNumaProcessorMap = 55,
	SystemPrefetcherInformation = 56,
	SystemExtendedProcessInformation = 57,
	SystemRecommendedSharedDataAlignment = 58,
	SystemComPlusPackage = 59,
	SystemNumaAvailableMemory = 60,
	SystemProcessorPowerInformation = 61,
	SystemEmulationBasicInformation = 62,
	SystemEmulationProcessorInformation = 63,
	SystemExtendedHandleInformation = 64,
	SystemLostDelayedWriteInformation = 65,
	SystemBigPoolInformation = 66,
	SystemSessionPoolTagInformation = 67,
	SystemSessionMappedViewInformation = 68,
	SystemHotpatchInformation = 69,
	SystemObjectSecurityMode = 70,
	SystemWatchdogTimerHandler = 71,
	SystemWatchdogTimerInformation = 72,
	SystemLogicalProcessorInformation = 73,
	SystemWow64SharedInformationObsolete = 74,
	SystemRegisterFirmwareTableInformationHandler = 75,
	SystemFirmwareTableInformation = 76,
	SystemModuleInformationEx = 77,
	SystemVerifierTriageInformation = 78,
	SystemSuperfetchInformation = 79,
	SystemMemoryListInformation = 80,
	SystemFileCacheInformationEx = 81,
	SystemThreadPriorityClientIdInformation = 82,
	SystemProcessorIdleCycleTimeInformation = 83,
	SystemVerifierCancellationInformation = 84,
	SystemProcessorPowerInformationEx = 85,
	SystemRefTraceInformation = 86,
	SystemSpecialPoolInformation = 87,
	SystemProcessIdInformation = 88,
	SystemErrorPortInformation = 89,
	SystemBootEnvironmentInformation = 90,
	SystemHypervisorInformation = 91,
	SystemVerifierInformationEx = 92,
	SystemTimeZoneInformation = 93,
	SystemImageFileExecutionOptionsInformation = 94,
	SystemCoverageInformation = 95,
	SystemPrefetchPatchInformation = 96,
	SystemVerifierFaultsInformation = 97,
	SystemSystemPartitionInformation = 98,
	SystemSystemDiskInformation = 99,
	SystemProcessorPerformanceDistribution = 100,
	SystemNumaProximityNodeInformation = 101,
	SystemDynamicTimeZoneInformation = 102,
	SystemCodeIntegrityInformation = 103,
	SystemProcessorMicrocodeUpdateInformation = 104,
	SystemProcessorBrandString = 105,
	SystemVirtualAddressInformation = 106,
	SystemLogicalProcessorAndGroupInformation = 107,
	SystemProcessorCycleTimeInformation = 108,
	SystemStoreInformation = 109,
	SystemRegistryAppendString = 110,
	SystemAitSamplingValue = 111,
	SystemVhdBootInformation = 112,
	SystemCpuQuotaInformation = 113,
	SystemNativeBasicInformation = 114,
	SystemErrorPortTimeouts = 115,
	SystemLowPriorityIoInformation = 116,
	SystemBootEntropyInformation = 117,
	SystemVerifierCountersInformation = 118,
	SystemPagedPoolInformationEx = 119,
	SystemSystemPtesInformationEx = 120,
	SystemNodeDistanceInformation = 121,
	SystemAcpiAuditInformation = 122,
	SystemBasicPerformanceInformation = 123,
	SystemQueryPerformanceCounterInformation = 124,
	SystemSessionBigPoolInformation = 125,
	SystemBootGraphicsInformation = 126,
	SystemScrubPhysicalMemoryInformation = 127,
	SystemBadPageInformation = 128,
	SystemProcessorProfileControlArea = 129,
	SystemCombinePhysicalMemoryInformation = 130,
	SystemEntropyInterruptTimingInformation = 131,
	SystemConsoleInformation = 132,
	SystemPlatformBinaryInformation = 133,
	SystemPolicyInformation = 134,
	SystemHypervisorProcessorCountInformation = 135,
	SystemDeviceDataInformation = 136,
	SystemDeviceDataEnumerationInformation = 137,
	SystemMemoryTopologyInformation = 138,
	SystemMemoryChannelInformation = 139,
	SystemBootLogoInformation = 140,
	SystemProcessorPerformanceInformationEx = 141,
	SystemSpare0 = 142,
	SystemSecureBootPolicyInformation = 143,
	SystemPageFileInformationEx = 144,
	SystemSecureBootInformation = 145,
	SystemEntropyInterruptTimingRawInformation = 146,
	SystemPortableWorkspaceEfiLauncherInformation = 147,
	SystemFullProcessInformation = 148,
	SystemKernelDebuggerInformationEx = 149,
	SystemBootMetadataInformation = 150,
	SystemSoftRebootInformation = 151,
	SystemElamCertificateInformation = 152,
	SystemOfflineDumpConfigInformation = 153,
	SystemProcessorFeaturesInformation = 154,
	SystemRegistryReconciliationInformation = 155,
	SystemEdidInformation = 156,
	MaxSystemInfoClass = 157
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
#endif

/*
** Timer START
*/

//
// Timer APC routine definition.
//

typedef VOID(*PTIMER_APC_ROUTINE) (
	_In_ PVOID TimerContext,
	_In_ ULONG TimerLowValue,
	_In_ LONG TimerHighValue
	);

typedef enum _TIMER_TYPE {
	NotificationTimer,
	SynchronizationTimer
} TIMER_TYPE;

#ifndef _TIMER_INFORMATION_CLASS
typedef enum _TIMER_INFORMATION_CLASS {
	TimerBasicInformation
} TIMER_INFORMATION_CLASS;
#endif

#ifndef _TIMER_BASIC_INFORMATION
typedef struct _TIMER_BASIC_INFORMATION {
	LARGE_INTEGER RemainingTime;
	BOOLEAN TimerState;
} TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION;
#endif

/*
** Timer END
*/

typedef VOID(NTAPI *PIO_APC_ROUTINE)(
	_In_ PVOID ApcContext,
	_In_ PIO_STATUS_BLOCK IoStatusBlock,
	_In_ ULONG Reserved
	);

typedef struct _OBJECT_DIRECTORY_INFORMATION {
	UNICODE_STRING Name;
	UNICODE_STRING TypeName;
} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;

#ifndef InitializeObjectAttributes
#define InitializeObjectAttributes( p, n, a, r, s ) { \
    (p)->Length = sizeof( OBJECT_ATTRIBUTES );          \
    (p)->RootDirectory = r;                             \
    (p)->Attributes = a;                                \
    (p)->ObjectName = n;                                \
    (p)->SecurityDescriptor = s;                        \
    (p)->SecurityQualityOfService = NULL;               \
    }

//
// Valid values for the Attributes field
//

#define OBJ_INHERIT             0x00000002L
#define OBJ_PERMANENT           0x00000010L
#define OBJ_EXCLUSIVE           0x00000020L
#define OBJ_CASE_INSENSITIVE    0x00000040L
#define OBJ_OPENIF              0x00000080L
#define OBJ_OPENLINK            0x00000100L
#define OBJ_KERNEL_HANDLE       0x00000200L
#define OBJ_FORCE_ACCESS_CHECK  0x00000400L
#define OBJ_VALID_ATTRIBUTES    0x000007F2L

#endif


/*
** Objects START
*/

#ifndef _OBJECT_INFORMATION_CLASS
typedef enum _OBJECT_INFORMATION_CLASS {
	ObjectBasicInformation,
	ObjectNameInformation,
	ObjectTypeInformation,
	ObjectTypesInformation,
	ObjectHandleFlagInformation,
	ObjectSessionInformation,
	MaxObjectInfoClass
} OBJECT_INFORMATION_CLASS;
#endif

#ifndef _OBJECT_BASIC_INFORMATION
typedef struct _OBJECT_BASIC_INFORMATION {
	ULONG Attributes;
	ACCESS_MASK GrantedAccess;
	ULONG HandleCount;
	ULONG PointerCount;
	ULONG PagedPoolCharge;
	ULONG NonPagedPoolCharge;
	ULONG Reserved[3];
	ULONG NameInfoSize;
	ULONG TypeInfoSize;
	ULONG SecurityDescriptorSize;
	LARGE_INTEGER CreationTime;
} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
#endif

#ifndef _OBJECT_NAME_INFORMATION
typedef struct _OBJECT_NAME_INFORMATION {
	UNICODE_STRING Name;
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
#endif

#ifndef _OBJECT_TYPE_INFORMATION
typedef struct _OBJECT_TYPE_INFORMATION {
	UNICODE_STRING TypeName;
	ULONG TotalNumberOfObjects;
	ULONG TotalNumberOfHandles;
	ULONG TotalPagedPoolUsage;
	ULONG TotalNonPagedPoolUsage;
	ULONG TotalNamePoolUsage;
	ULONG TotalHandleTableUsage;
	ULONG HighWaterNumberOfObjects;
	ULONG HighWaterNumberOfHandles;
	ULONG HighWaterPagedPoolUsage;
	ULONG HighWaterNonPagedPoolUsage;
	ULONG HighWaterNamePoolUsage;
	ULONG HighWaterHandleTableUsage;
	ULONG InvalidAttributes;
	GENERIC_MAPPING GenericMapping;
	ULONG ValidAccessMask;
	BOOLEAN SecurityRequired;
	BOOLEAN MaintainHandleCount;
	ULONG PoolType;
	ULONG DefaultPagedPoolCharge;
	ULONG DefaultNonPagedPoolCharge;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
#endif

typedef struct _OBJECT_TYPE_INFORMATION_8 {
	UNICODE_STRING TypeName;
	ULONG TotalNumberOfObjects;
	ULONG TotalNumberOfHandles;
	ULONG TotalPagedPoolUsage;
	ULONG TotalNonPagedPoolUsage;
	ULONG TotalNamePoolUsage;
	ULONG TotalHandleTableUsage;
	ULONG HighWaterNumberOfObjects;
	ULONG HighWaterNumberOfHandles;
	ULONG HighWaterPagedPoolUsage;
	ULONG HighWaterNonPagedPoolUsage;
	ULONG HighWaterNamePoolUsage;
	ULONG HighWaterHandleTableUsage;
	ULONG InvalidAttributes;
	GENERIC_MAPPING GenericMapping;
	ULONG ValidAccessMask;
	BOOLEAN SecurityRequired;
	BOOLEAN MaintainHandleCount;
	UCHAR TypeIndex;
	CHAR ReservedByte;
	ULONG PoolType;
	ULONG DefaultPagedPoolCharge;
	ULONG DefaultNonPagedPoolCharge;
} OBJECT_TYPE_INFORMATION_8, *POBJECT_TYPE_INFORMATION_8;

#ifndef _OBJECT_TYPES_INFORMATION
typedef struct _OBJECT_TYPES_INFORMATION
{
	ULONG NumberOfTypes;
	OBJECT_TYPE_INFORMATION TypeInformation;
} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;
#endif

#ifndef _OBJECT_HANDLE_FLAG_INFORMATION
typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
{
	BOOLEAN Inherit;
	BOOLEAN ProtectFromClose;
} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;
#endif
/*
** Objects END
*/

/*
** Boot Entry START
*/

typedef struct _FILE_PATH {
    ULONG Version;
    ULONG Length;
    ULONG Type;
    UCHAR FilePath[ANYSIZE_ARRAY];
} FILE_PATH, *PFILE_PATH;

typedef struct _BOOT_ENTRY {
    ULONG Version;
    ULONG Length;
    ULONG Id;
    ULONG Attributes;
    ULONG FriendlyNameOffset;
    ULONG BootFilePathOffset;
    ULONG OsOptionsLength;
    UCHAR OsOptions[ANYSIZE_ARRAY];
} BOOT_ENTRY, *PBOOT_ENTRY;

typedef struct _BOOT_ENTRY_LIST {
    ULONG NextEntryOffset;
    BOOT_ENTRY BootEntry;
} BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST;

/*
** Boot Entry END
*/

/*
** File start
*/

#define FILE_SUPERSEDE                  0x00000000
#define FILE_OPEN                       0x00000001
#define FILE_CREATE                     0x00000002
#define FILE_OPEN_IF                    0x00000003
#define FILE_OVERWRITE                  0x00000004
#define FILE_OVERWRITE_IF               0x00000005
#define FILE_MAXIMUM_DISPOSITION        0x00000005

#define FILE_DIRECTORY_FILE                     0x00000001
#define FILE_WRITE_THROUGH                      0x00000002
#define FILE_SEQUENTIAL_ONLY                    0x00000004
#define FILE_NO_INTERMEDIATE_BUFFERING          0x00000008

#define FILE_SYNCHRONOUS_IO_ALERT               0x00000010
#define FILE_SYNCHRONOUS_IO_NONALERT            0x00000020
#define FILE_NON_DIRECTORY_FILE                 0x00000040
#define FILE_CREATE_TREE_CONNECTION             0x00000080

#define FILE_COMPLETE_IF_OPLOCKED               0x00000100
#define FILE_NO_EA_KNOWLEDGE                    0x00000200
#define FILE_OPEN_FOR_RECOVERY                  0x00000400
#define FILE_RANDOM_ACCESS                      0x00000800

#define FILE_DELETE_ON_CLOSE                    0x00001000
#define FILE_OPEN_BY_FILE_ID                    0x00002000
#define FILE_OPEN_FOR_BACKUP_INTENT             0x00004000
#define FILE_NO_COMPRESSION                     0x00008000

#define FILE_RESERVE_OPFILTER                   0x00100000
#define FILE_OPEN_REPARSE_POINT                 0x00200000
#define FILE_OPEN_NO_RECALL                     0x00400000
#define FILE_OPEN_FOR_FREE_SPACE_QUERY          0x00800000


#define FILE_COPY_STRUCTURED_STORAGE            0x00000041
#define FILE_STRUCTURED_STORAGE                 0x00000441

#define FILE_VALID_OPTION_FLAGS                 0x00ffffff
#define FILE_VALID_PIPE_OPTION_FLAGS            0x00000032
#define FILE_VALID_MAILSLOT_OPTION_FLAGS        0x00000032
#define FILE_VALID_SET_FLAGS                    0x00000036

#ifndef _FILE_INFORMATION_CLASS
typedef enum _FILE_INFORMATION_CLASS
{
	FileDirectoryInformation = 1,
	FileFullDirectoryInformation,
	FileBothDirectoryInformation,
	FileBasicInformation,
	FileStandardInformation,
	FileInternalInformation,
	FileEaInformation,
	FileAccessInformation,
	FileNameInformation,
	FileRenameInformation,
	FileLinkInformation,
	FileNamesInformation,
	FileDispositionInformation,
	FilePositionInformation,
	FileFullEaInformation,
	FileModeInformation,
	FileAlignmentInformation,
	FileAllInformation,
	FileAllocationInformation,
	FileEndOfFileInformation,
	FileAlternateNameInformation,
	FileStreamInformation,
	FilePipeInformation,
	FilePipeLocalInformation,
	FilePipeRemoteInformation,
	FileMailslotQueryInformation,
	FileMailslotSetInformation,
	FileCompressionInformation,
	FileObjectIdInformation,
	FileCompletionInformation,
	FileMoveClusterInformation,
	FileQuotaInformation,
	FileReparsePointInformation,
	FileNetworkOpenInformation,
	FileAttributeTagInformation,
	FileTrackingInformation,
	FileIdBothDirectoryInformation,
	FileIdFullDirectoryInformation,
	FileValidDataLengthInformation,
	FileShortNameInformation,
	FileIoCompletionNotificationInformation,
	FileIoStatusBlockRangeInformation,
	FileIoPriorityHintInformation,
	FileSfioReserveInformation,
	FileSfioVolumeInformation,
	FileHardLinkInformation,
	FileProcessIdsUsingFileInformation,
	FileNormalizedNameInformation,
	FileNetworkPhysicalNameInformation,
	FileIdGlobalTxDirectoryInformation,
	FileMaximumInformation
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
#endif

#ifndef _FILE_INFORMATION_CLASS
typedef enum _FSINFOCLASS {
	FileFsVolumeInformation = 1,
	FileFsLabelInformation,
	FileFsSizeInformation,
	FileFsDeviceInformation,
	FileFsAttributeInformation,
	FileFsControlInformation,
	FileFsFullSizeInformation,
	FileFsObjectIdInformation,
	FileFsDriverPathInformation,
	FileFsVolumeFlagsInformation,
	FileFsMaximumInformation
} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;
#endif

typedef struct _FILE_BASIC_INFORMATION {
	LARGE_INTEGER CreationTime;
	LARGE_INTEGER LastAccessTime;
	LARGE_INTEGER LastWriteTime;
	LARGE_INTEGER ChangeTime;
	ULONG FileAttributes;
} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;

typedef struct _FILE_STANDARD_INFORMATION
{
	LARGE_INTEGER AllocationSize;
	LARGE_INTEGER EndOfFile;
	ULONG NumberOfLinks;
	UCHAR DeletePending;
	UCHAR Directory;
} FILE_STANDARD_INFORMATION;

typedef struct _FILE_INTERNAL_INFORMATION {
	LARGE_INTEGER IndexNumber;
} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;

typedef struct _FILE_EA_INFORMATION {
	ULONG EaSize;
} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;

typedef struct _FILE_ACCESS_INFORMATION {
	ACCESS_MASK AccessFlags;
} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;

typedef struct _FILE_POSITION_INFORMATION {
	LARGE_INTEGER CurrentByteOffset;
} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;

typedef struct _FILE_MODE_INFORMATION {
	ULONG Mode;
} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;

typedef struct _FILE_ALIGNMENT_INFORMATION {
	ULONG AlignmentRequirement;
} FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION;

typedef struct _FILE_NAME_INFORMATION {
	ULONG FileNameLength;
	WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;

typedef struct _FILE_ALL_INFORMATION {
	FILE_BASIC_INFORMATION BasicInformation;
	FILE_STANDARD_INFORMATION StandardInformation;
	FILE_INTERNAL_INFORMATION InternalInformation;
	FILE_EA_INFORMATION EaInformation;
	FILE_ACCESS_INFORMATION AccessInformation;
	FILE_POSITION_INFORMATION PositionInformation;
	FILE_MODE_INFORMATION ModeInformation;
	FILE_ALIGNMENT_INFORMATION AlignmentInformation;
	FILE_NAME_INFORMATION NameInformation;
} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;

typedef struct _FILE_NETWORK_OPEN_INFORMATION {
	LARGE_INTEGER CreationTime;
	LARGE_INTEGER LastAccessTime;
	LARGE_INTEGER LastWriteTime;
	LARGE_INTEGER ChangeTime;
	LARGE_INTEGER AllocationSize;
	LARGE_INTEGER EndOfFile;
	ULONG FileAttributes;
} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;

typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION {
	ULONG FileAttributes;
	ULONG ReparseTag;
} FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION;

typedef struct _FILE_ALLOCATION_INFORMATION {
	LARGE_INTEGER AllocationSize;
} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;

typedef struct _FILE_COMPRESSION_INFORMATION {
	LARGE_INTEGER CompressedFileSize;
	USHORT CompressionFormat;
	UCHAR CompressionUnitShift;
	UCHAR ChunkShift;
	UCHAR ClusterShift;
	UCHAR Reserved[3];
} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;

typedef struct _FILE_DISPOSITION_INFORMATION {
	BOOLEAN DeleteFile;
} FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION;

typedef struct _FILE_END_OF_FILE_INFORMATION {
	LARGE_INTEGER EndOfFile;
} FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION;

typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION {
	LARGE_INTEGER ValidDataLength;
} FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION;

typedef struct _FILE_LINK_INFORMATION {
	BOOLEAN ReplaceIfExists;
	HANDLE RootDirectory;
	ULONG FileNameLength;
	WCHAR FileName[1];
} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;

typedef struct _FILE_MOVE_CLUSTER_INFORMATION {
	ULONG ClusterCount;
	HANDLE RootDirectory;
	ULONG FileNameLength;
	WCHAR FileName[1];
} FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION;

typedef struct _FILE_RENAME_INFORMATION {
	BOOLEAN ReplaceIfExists;
	HANDLE RootDirectory;
	ULONG FileNameLength;
	WCHAR FileName[1];
} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;

typedef struct _FILE_STREAM_INFORMATION {
	ULONG NextEntryOffset;
	ULONG StreamNameLength;
	LARGE_INTEGER StreamSize;
	LARGE_INTEGER StreamAllocationSize;
	WCHAR StreamName[1];
} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;

typedef struct _FILE_TRACKING_INFORMATION {
	HANDLE DestinationFile;
	ULONG ObjectInformationLength;
	CHAR ObjectInformation[1];
} FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION;

typedef struct _FILE_COMPLETION_INFORMATION {
	HANDLE Port;
	PVOID Key;
} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;

//
// Define the NamedPipeType flags for NtCreateNamedPipeFile
//

#define FILE_PIPE_BYTE_STREAM_TYPE      0x00000000
#define FILE_PIPE_MESSAGE_TYPE          0x00000001

//
// Define the CompletionMode flags for NtCreateNamedPipeFile
//

#define FILE_PIPE_QUEUE_OPERATION       0x00000000
#define FILE_PIPE_COMPLETE_OPERATION    0x00000001

//
// Define the ReadMode flags for NtCreateNamedPipeFile
//

#define FILE_PIPE_BYTE_STREAM_MODE      0x00000000
#define FILE_PIPE_MESSAGE_MODE          0x00000001

//
// Define the NamedPipeConfiguration flags for NtQueryInformation
//

#define FILE_PIPE_INBOUND               0x00000000
#define FILE_PIPE_OUTBOUND              0x00000001
#define FILE_PIPE_FULL_DUPLEX           0x00000002

//
// Define the NamedPipeState flags for NtQueryInformation
//

#define FILE_PIPE_DISCONNECTED_STATE    0x00000001
#define FILE_PIPE_LISTENING_STATE       0x00000002
#define FILE_PIPE_CONNECTED_STATE       0x00000003
#define FILE_PIPE_CLOSING_STATE         0x00000004

//
// Define the NamedPipeEnd flags for NtQueryInformation
//

#define FILE_PIPE_CLIENT_END            0x00000000
#define FILE_PIPE_SERVER_END            0x00000001


typedef struct _FILE_PIPE_INFORMATION {
	ULONG ReadMode;
	ULONG CompletionMode;
} FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION;

typedef struct _FILE_PIPE_LOCAL_INFORMATION {
	ULONG NamedPipeType;
	ULONG NamedPipeConfiguration;
	ULONG MaximumInstances;
	ULONG CurrentInstances;
	ULONG InboundQuota;
	ULONG ReadDataAvailable;
	ULONG OutboundQuota;
	ULONG WriteQuotaAvailable;
	ULONG NamedPipeState;
	ULONG NamedPipeEnd;
} FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION;

typedef struct _FILE_PIPE_REMOTE_INFORMATION {
	LARGE_INTEGER CollectDataTime;
	ULONG MaximumCollectionCount;
} FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION;

typedef struct _FILE_MAILSLOT_QUERY_INFORMATION {
	ULONG MaximumMessageSize;
	ULONG MailslotQuota;
	ULONG NextMessageSize;
	ULONG MessagesAvailable;
	LARGE_INTEGER ReadTimeout;
} FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION;

typedef struct _FILE_MAILSLOT_SET_INFORMATION {
	PLARGE_INTEGER ReadTimeout;
} FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION;

typedef struct _FILE_REPARSE_POINT_INFORMATION {
	LONGLONG FileReference;
	ULONG Tag;
} FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION;

//
// Define the flags for NtSet(Query)EaFile service structure entries
//

#define FILE_NEED_EA                    0x00000080

//
// Define EA type values
//

#define FILE_EA_TYPE_BINARY             0xfffe
#define FILE_EA_TYPE_ASCII              0xfffd
#define FILE_EA_TYPE_BITMAP             0xfffb
#define FILE_EA_TYPE_METAFILE           0xfffa
#define FILE_EA_TYPE_ICON               0xfff9
#define FILE_EA_TYPE_EA                 0xffee
#define FILE_EA_TYPE_MVMT               0xffdf
#define FILE_EA_TYPE_MVST               0xffde
#define FILE_EA_TYPE_ASN1               0xffdd
#define FILE_EA_TYPE_FAMILY_IDS         0xff01

typedef struct _FILE_FULL_EA_INFORMATION {
	ULONG NextEntryOffset;
	UCHAR Flags;
	UCHAR EaNameLength;
	USHORT EaValueLength;
	CHAR EaName[1];
} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;

typedef struct _FILE_GET_EA_INFORMATION {
	ULONG NextEntryOffset;
	UCHAR EaNameLength;
	CHAR EaName[1];
} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;

typedef struct _FILE_GET_QUOTA_INFORMATION {
	ULONG NextEntryOffset;
	ULONG SidLength;
	SID Sid;
} FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION;

typedef struct _FILE_QUOTA_INFORMATION {
	ULONG NextEntryOffset;
	ULONG SidLength;
	LARGE_INTEGER ChangeTime;
	LARGE_INTEGER QuotaUsed;
	LARGE_INTEGER QuotaThreshold;
	LARGE_INTEGER QuotaLimit;
	SID Sid;
} FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION;

typedef struct _FILE_DIRECTORY_INFORMATION {
	ULONG NextEntryOffset;
	ULONG FileIndex;
	LARGE_INTEGER CreationTime;
	LARGE_INTEGER LastAccessTime;
	LARGE_INTEGER LastWriteTime;
	LARGE_INTEGER ChangeTime;
	LARGE_INTEGER EndOfFile;
	LARGE_INTEGER AllocationSize;
	ULONG FileAttributes;
	ULONG FileNameLength;
	WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;

typedef struct _FILE_FULL_DIR_INFORMATION {
	ULONG NextEntryOffset;
	ULONG FileIndex;
	LARGE_INTEGER CreationTime;
	LARGE_INTEGER LastAccessTime;
	LARGE_INTEGER LastWriteTime;
	LARGE_INTEGER ChangeTime;
	LARGE_INTEGER EndOfFile;
	LARGE_INTEGER AllocationSize;
	ULONG FileAttributes;
	ULONG FileNameLength;
	ULONG EaSize;
	WCHAR FileName[1];
} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;

typedef struct _FILE_ID_FULL_DIR_INFORMATION {
	ULONG NextEntryOffset;
	ULONG FileIndex;
	LARGE_INTEGER CreationTime;
	LARGE_INTEGER LastAccessTime;
	LARGE_INTEGER LastWriteTime;
	LARGE_INTEGER ChangeTime;
	LARGE_INTEGER EndOfFile;
	LARGE_INTEGER AllocationSize;
	ULONG FileAttributes;
	ULONG FileNameLength;
	ULONG EaSize;
	LARGE_INTEGER FileId;
	WCHAR FileName[1];
} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;

typedef struct _FILE_BOTH_DIR_INFORMATION {
	ULONG NextEntryOffset;
	ULONG FileIndex;
	LARGE_INTEGER CreationTime;
	LARGE_INTEGER LastAccessTime;
	LARGE_INTEGER LastWriteTime;
	LARGE_INTEGER ChangeTime;
	LARGE_INTEGER EndOfFile;
	LARGE_INTEGER AllocationSize;
	ULONG FileAttributes;
	ULONG FileNameLength;
	ULONG EaSize;
	CCHAR ShortNameLength;
	WCHAR ShortName[12];
	WCHAR FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;

typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
	ULONG NextEntryOffset;
	ULONG FileIndex;
	LARGE_INTEGER CreationTime;
	LARGE_INTEGER LastAccessTime;
	LARGE_INTEGER LastWriteTime;
	LARGE_INTEGER ChangeTime;
	LARGE_INTEGER EndOfFile;
	LARGE_INTEGER AllocationSize;
	ULONG FileAttributes;
	ULONG FileNameLength;
	ULONG EaSize;
	CCHAR ShortNameLength;
	WCHAR ShortName[12];
	LARGE_INTEGER FileId;
	WCHAR FileName[1];
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;

typedef struct _FILE_NAMES_INFORMATION {
	ULONG NextEntryOffset;
	ULONG FileIndex;
	ULONG FileNameLength;
	WCHAR FileName[1];
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;

typedef struct _FILE_OBJECTID_INFORMATION {
	LONGLONG FileReference;
	UCHAR ObjectId[16];
	union {
		struct {
			UCHAR BirthVolumeId[16];
			UCHAR BirthObjectId[16];
			UCHAR DomainId[16];
		};
		UCHAR ExtendedInfo[48];
	};
} FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION;

typedef struct _FILE_FS_VOLUME_INFORMATION {
	LARGE_INTEGER VolumeCreationTime;
	ULONG         VolumeSerialNumber;
	ULONG         VolumeLabelLength;
	BOOLEAN       SupportsObjects;
	WCHAR         VolumeLabel[1];
} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;

/*
** File END
*/

/*
** Section START
*/

#ifndef _SECTION_INFORMATION_CLASS
typedef enum _SECTION_INFORMATION_CLASS {
	SectionBasicInformation,
	SectionImageInformation,
	SectionRelocationInformation,
	MaxSectionInfoClass
} SECTION_INFORMATION_CLASS;
#endif

typedef struct _SECTIONBASICINFO {
	PVOID BaseAddress;
	ULONG AllocationAttributes;
	LARGE_INTEGER MaximumSize;
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;

typedef struct _SECTION_IMAGE_INFORMATION {
	PVOID TransferAddress;
	ULONG ZeroBits;
	SIZE_T MaximumStackSize;
	SIZE_T CommittedStackSize;
	ULONG SubSystemType;
	union {
		struct {
			USHORT SubSystemMinorVersion;
			USHORT SubSystemMajorVersion;
		};
		ULONG SubSystemVersion;
	};
	ULONG GpValue;
	USHORT ImageCharacteristics;
	USHORT DllCharacteristics;
	USHORT Machine;
	BOOLEAN ImageContainsCode;
	BOOLEAN Spare1;
	ULONG LoaderFlags;
	ULONG ImageFileSize;
	ULONG Reserved[1];
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;

typedef struct _SECTION_IMAGE_INFORMATION64 {
	ULONGLONG TransferAddress;
	ULONG ZeroBits;
	ULONGLONG MaximumStackSize;
	ULONGLONG CommittedStackSize;
	ULONG SubSystemType;
	union {
		struct {
			USHORT SubSystemMinorVersion;
			USHORT SubSystemMajorVersion;
		};
		ULONG SubSystemVersion;
	};
	ULONG GpValue;
	USHORT ImageCharacteristics;
	USHORT DllCharacteristics;
	USHORT Machine;
	BOOLEAN ImageContainsCode;
	BOOLEAN Spare1;
	ULONG LoaderFlags;
	ULONG ImageFileSize;
	ULONG Reserved[1];
} SECTION_IMAGE_INFORMATION64, *PSECTION_IMAGE_INFORMATION64;

typedef enum _SECTION_INHERIT {
	ViewShare = 1,
	ViewUnmap = 2
} SECTION_INHERIT;

#define SEC_BASED          0x200000
#define SEC_NO_CHANGE      0x400000
#define SEC_FILE           0x800000     
#define SEC_IMAGE         0x1000000     
#define SEC_RESERVE       0x4000000     
#define SEC_COMMIT        0x8000000     
#define SEC_NOCACHE      0x10000000     
#define SEC_GLOBAL       0x20000000
#define SEC_LARGE_PAGES  0x80000000    

/*
** Section END
*/

/*
** Kernel Debugger START
*/

#ifndef _SYSDBG_COMMAND
typedef enum _SYSDBG_COMMAND {
	SysDbgQueryModuleInformation,
	SysDbgQueryTraceInformation,
	SysDbgSetTracepoint,
	SysDbgSetSpecialCall,
	SysDbgClearSpecialCalls,
	SysDbgQuerySpecialCalls,
	SysDbgBreakPoint,
	SysDbgQueryVersion,
	SysDbgReadVirtual,
	SysDbgWriteVirtual,
	SysDbgReadPhysical,
	SysDbgWritePhysical,
	SysDbgReadControlSpace,
	SysDbgWriteControlSpace,
	SysDbgReadIoSpace,
	SysDbgWriteIoSpace,
	SysDbgReadMsr,
	SysDbgWriteMsr,
	SysDbgReadBusData,
	SysDbgWriteBusData,
	SysDbgCheckLowMemory,
	SysDbgEnableKernelDebugger,
	SysDbgDisableKernelDebugger,
	SysDbgGetAutoKdEnable,
	SysDbgSetAutoKdEnable,
	SysDbgGetPrintBufferSize,
	SysDbgSetPrintBufferSize,
	SysDbgGetKdUmExceptionEnable,
	SysDbgSetKdUmExceptionEnable,
	SysDbgGetTriageDump,
	SysDbgGetKdBlockEnable,
	SysDbgSetKdBlockEnable,
	SysDbgRegisterForUmBreakInfo,
	SysDbgGetUmBreakPid,
	SysDbgClearUmBreakPid,
	SysDbgGetUmAttachPid,
	SysDbgClearUmAttachPid
} SYSDBG_COMMAND, *PSYSDBG_COMMAND;
#endif

#ifndef _SYSDBG_VIRTUAL
typedef struct _SYSDBG_VIRTUAL
{
	PVOID Address;
	PVOID Buffer;
	ULONG Request;
} SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL;
#endif

/*
** Kernel Debugger END
*/

/*
** System Table START
*/
#define NUMBER_SERVICE_TABLES 2
#define SERVICE_NUMBER_MASK ((1 << 12) -  1)

#if defined(_WIN64)

#if defined(_AMD64_)

#define SERVICE_TABLE_SHIFT (12 - 4)
#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4)
#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4)

#else

#define SERVICE_TABLE_SHIFT (12 - 5)
#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 5)
#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 5)

#endif

#else

#define SERVICE_TABLE_SHIFT (12 - 4)
#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4)
#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4)

#endif

typedef struct _KSERVICE_TABLE_DESCRIPTOR {
	ULONG_PTR Base; //e.g. KiServiceTable
	PULONG Count;
	ULONG Limit;//e.g. KiServiceLimit
	PUCHAR Number; //e.g. KiArgumentTable
} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;
/*
** System Table END
*/


/*
** System Boot Environment START
*/

typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1 // Size=20
{
	struct _GUID BootIdentifier;
	enum _FIRMWARE_TYPE FirmwareType;
} SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1;

typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION // Size=32
{
	struct _GUID BootIdentifier;
	enum _FIRMWARE_TYPE FirmwareType;
	unsigned __int64 BootFlags;
} SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION;

/*
** System Boot Environment END
*/

/*
** Mutant START
*/

#ifndef _MUTANT_INFORMATION_CLASS
typedef enum _MUTANT_INFORMATION_CLASS {
	MutantBasicInformation
} MUTANT_INFORMATION_CLASS;
#endif

#ifndef _MUTANT_BASIC_INFORMATION
typedef struct _MUTANT_BASIC_INFORMATION {
	LONG CurrentCount;
	BOOLEAN OwnedByCaller;
	BOOLEAN AbandonedState;
} MUTANT_BASIC_INFORMATION, *PMUTANT_BASIC_INFORMATION;
#endif

/*
** Mutant END
*/

/*
** Key START
*/

#ifndef _KEY_INFORMATION_CLASS 
typedef enum _KEY_INFORMATION_CLASS {
	KeyBasicInformation,
	KeyNodeInformation,
	KeyFullInformation,
	KeyNameInformation,
	KeyCachedInformation,
	KeyFlagsInformation,
	MaxKeyInfoClass
} KEY_INFORMATION_CLASS;
#endif

#ifndef _KEY_FULL_INFORMATION
typedef struct _KEY_FULL_INFORMATION {
	LARGE_INTEGER LastWriteTime;
	ULONG   TitleIndex;
	ULONG   ClassOffset;
	ULONG   ClassLength;
	ULONG   SubKeys;
	ULONG   MaxNameLen;
	ULONG   MaxClassLen;
	ULONG   Values;
	ULONG   MaxValueNameLen;
	ULONG   MaxValueDataLen;
	WCHAR   Class[1];
} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
#endif

#ifndef _KEY_BASIC_INFORMATION
typedef struct _KEY_BASIC_INFORMATION {
	LARGE_INTEGER LastWriteTime;
	ULONG TitleIndex;
	ULONG NameLength;
	WCHAR Name[1];
} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
#endif

#ifndef _KEY_VALUE_INFORMATION_CLASS
typedef enum _KEY_VALUE_INFORMATION_CLASS {
	KeyValueBasicInformation,
	KeyValueFullInformation,
	KeyValuePartialInformation,
	KeyValueFullInformationAlign64,
	KeyValuePartialInformationAlign64,
	MaxKeyValueInfoClass
} KEY_VALUE_INFORMATION_CLASS;
#endif

#ifndef _KEY_VALUE_BASIC_INFORMATION
typedef struct _KEY_VALUE_BASIC_INFORMATION {
	ULONG   TitleIndex;
	ULONG   Type;
	ULONG   NameLength;
	WCHAR   Name[1];            // Variable size
} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
#endif

#ifndef _KEY_VALUE_FULL_INFORMATION
typedef struct _KEY_VALUE_FULL_INFORMATION {
	ULONG   TitleIndex;
	ULONG   Type;
	ULONG   DataOffset;
	ULONG   DataLength;
	ULONG   NameLength;
	WCHAR   Name[1];            // Variable size
	//          Data[1];            // Variable size data not declared
} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
#endif

#ifndef _KEY_VALUE_PARTIAL_INFORMATION
typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
	ULONG   TitleIndex;
	ULONG   Type;
	ULONG   DataLength;
	UCHAR   Data[1];            // Variable size
} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
#endif

#ifndef _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64
typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 {
	ULONG   Type;
	ULONG   DataLength;
	UCHAR   Data[1];            // Variable size
} KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64;
#endif

#ifndef _KEY_VALUE_ENTRY
typedef struct _KEY_VALUE_ENTRY {
	PUNICODE_STRING ValueName;
	ULONG           DataLength;
	ULONG           DataOffset;
	ULONG           Type;
} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
#endif

/*
** Key END
*/

/*
** IoCompletion START
*/

#ifndef _IO_COMPLETION_INFORMATION_CLASS
typedef enum _IO_COMPLETION_INFORMATION_CLASS {
	IoCompletionBasicInformation
} IO_COMPLETION_INFORMATION_CLASS;
#endif

#ifndef _IO_COMPLETION_BASIC_INFORMATION
typedef struct _IO_COMPLETION_BASIC_INFORMATION {
	LONG Depth;
} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;
#endif

/*
** IoCompletion END
*/

/*
** Event START
*/

//
// Event Specific Access Rights.
//

typedef enum _EVENT_INFORMATION_CLASS {
	EventBasicInformation
} EVENT_INFORMATION_CLASS;

typedef enum _EVENT_TYPE {
	NotificationEvent,
	SynchronizationEvent
} EVENT_TYPE;

typedef struct _EVENT_BASIC_INFORMATION {
	EVENT_TYPE EventType;
	LONG EventState;
} EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION;

/*
** Event END
*/

/*
** TIME_FIELDS START
*/

#ifndef CSHORT
typedef short CSHORT;
#endif
typedef struct _TIME_FIELDS {
	CSHORT Year;        // range [1601...]
	CSHORT Month;       // range [1..12]
	CSHORT Day;         // range [1..31]
	CSHORT Hour;        // range [0..23]
	CSHORT Minute;      // range [0..59]
	CSHORT Second;      // range [0..59]
	CSHORT Milliseconds;// range [0..999]
	CSHORT Weekday;     // range [0..6] == [Sunday..Saturday]
} TIME_FIELDS;
typedef TIME_FIELDS *PTIME_FIELDS;

/*
** TIME_FIELDS END
*/

/*
** HANDLE START
*/

typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
	USHORT UniqueProcessId;
	USHORT CreatorBackTraceIndex;
	UCHAR ObjectTypeIndex;
	UCHAR HandleAttributes;
	USHORT HandleValue;
	PVOID Object;
	ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;

typedef struct _SYSTEM_HANDLE_INFORMATION {
	ULONG NumberOfHandles;
	SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

/*
** HANDLE END
*/

// Privileges

#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
#define SE_CREATE_TOKEN_PRIVILEGE (2L)
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
#define SE_LOCK_MEMORY_PRIVILEGE (4L)
#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
#define SE_TCB_PRIVILEGE (7L)
#define SE_SECURITY_PRIVILEGE (8L)
#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
#define SE_LOAD_DRIVER_PRIVILEGE (10L)
#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
#define SE_SYSTEMTIME_PRIVILEGE (12L)
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
#define SE_BACKUP_PRIVILEGE (17L)
#define SE_RESTORE_PRIVILEGE (18L)
#define SE_SHUTDOWN_PRIVILEGE (19L)
#define SE_DEBUG_PRIVILEGE (20L)
#define SE_AUDIT_PRIVILEGE (21L)
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
#define SE_UNDOCK_PRIVILEGE (25L)
#define SE_SYNC_AGENT_PRIVILEGE (26L)
#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
#define SE_MANAGE_VOLUME_PRIVILEGE (28L)
#define SE_IMPERSONATE_PRIVILEGE (29L)
#define SE_CREATE_GLOBAL_PRIVILEGE (30L)
#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)
#define SE_RELABEL_PRIVILEGE (32L)
#define SE_INC_WORKING_SET_PRIVILEGE (33L)
#define SE_TIME_ZONE_PRIVILEGE (34L)
#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)
#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE

#ifndef NT_SUCCESS
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#endif

/*
** OBJECT MANAGER START
*/

//
// Header flags
//

#define OB_FLAG_NEW_OBJECT              0x01
#define OB_FLAG_KERNEL_OBJECT           0x02
#define OB_FLAG_CREATOR_INFO            0x04
#define OB_FLAG_EXCLUSIVE_OBJECT        0x08
#define OB_FLAG_PERMANENT_OBJECT        0x10
#define OB_FLAG_DEFAULT_SECURITY_QUOTA  0x20
#define OB_FLAG_SINGLE_HANDLE_ENTRY     0x40
#define OB_FLAG_DELETED_INLINE          0x80

//
// InfoMask values
//

#define OB_INFOMASK_PROCESS_INFO	0x10
#define OB_INFOMASK_QUOTA			0x08
#define OB_INFOMASK_HANDLE			0x04
#define OB_INFOMASK_NAME			0x02
#define OB_INFOMASK_CREATOR_INFO	0x01

typedef PVOID *PDEVICE_MAP;

typedef struct _OBJECT_DIRECTORY_ENTRY {
	PVOID ChainLink;
	PVOID Object;
	ULONG HashValue;
} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;

typedef struct _EX_PUSH_LOCK {
	union
	{
		ULONG Locked : 1;
		ULONG Waiting : 1;
		ULONG Waking : 1;
		ULONG MultipleShared : 1;
		ULONG Shared : 28;
		ULONG Value;
		PVOID Ptr;
	};
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;

typedef struct _OBJECT_NAMESPACE_LOOKUPTABLE {
	LIST_ENTRY HashBuckets[37];
	EX_PUSH_LOCK Lock;
	ULONG NumberOfPrivateSpaces;
} OBJECT_NAMESPACE_LOOKUPTABLE, *POBJECT_NAMESPACE_LOOKUPTABLE;

typedef struct _OBJECT_NAMESPACE_ENTRY {
	LIST_ENTRY ListEntry;
	PVOID NamespaceRootDirectory;
	ULONG SizeOfBoundaryInformation;
	ULONG Reserved;
	UCHAR HashValue;
	ULONG Alignment;
} OBJECT_NAMESPACE_ENTRY, *POBJECT_NAMESPACE_ENTRY;

typedef struct _OBJECT_DIRECTORY {
	POBJECT_DIRECTORY_ENTRY HashBuckets[37];
	EX_PUSH_LOCK Lock;
	PDEVICE_MAP DeviceMap;
	ULONG SessionId;
	PVOID NamespaceEntry;
	ULONG Flags;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;

typedef struct _OBJECT_HEADER_NAME_INFO {
	POBJECT_DIRECTORY Directory;
	UNICODE_STRING Name;
	ULONG QueryReferences;
} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;

typedef struct _OBJECT_HEADER_CREATOR_INFO {// Size=32
	LIST_ENTRY TypeList; // Size=16 Offset=0
	PVOID CreatorUniqueProcess; // Size=8 Offset=16
	USHORT CreatorBackTraceIndex; // Size=2 Offset=24
	USHORT Reserved; // Size=2 Offset=26
} OBJECT_HEADER_CREATOR_INFO, *POBJECT_HEADER_CREATOR_INFO;

typedef struct _OBJECT_HANDLE_COUNT_ENTRY {// Size=16
	PVOID Process; // Size=8 Offset=0
	struct
	{
		unsigned long HandleCount : 24; // Size=4 Offset=8 BitOffset=0 BitCount=24
		unsigned long LockCount : 8; // Size=4 Offset=8 BitOffset=24 BitCount=8
	};
} OBJECT_HANDLE_COUNT_ENTRY, *POBJECT_HANDLE_COUNT_ENTRY;

typedef struct _OBJECT_HEADER_HANDLE_INFO // Size=16
{
	union
	{
		PVOID HandleCountDataBase; // Size=8 Offset=0
		struct _OBJECT_HANDLE_COUNT_ENTRY SingleEntry; // Size=16 Offset=0
	};
} OBJECT_HEADER_HANDLE_INFO, *POBJECT_HEADER_HANDLE_INFO;

typedef struct _OBJECT_HEADER_PROCESS_INFO { // Size=16
	PVOID ExclusiveProcess; // Size=8 Offset=0
	unsigned __int64 Reserved; // Size=8 Offset=8
} OBJECT_HEADER_PROCESS_INFO, *POBJECT_HEADER_PROCESS_INFO;

typedef struct _OBJECT_HEADER_QUOTA_INFO {
	ULONG PagedPoolCharge; //4
	ULONG NonPagedPoolCharge; //4 
	ULONG SecurityDescriptorCharge; //4
	PVOID SecurityDescriptorQuotaBlock; //sizeof(pointer)
	unsigned __int64 Reserved; //sizeof(uint64)
} OBJECT_HEADER_QUOTA_INFO, *POBJECT_HEADER_QUOTA_INFO;

typedef struct _QUAD {
	union
	{
		INT64 UseThisFieldToCopy;
		float DoNotUseThisField;
	};
} QUAD, *PQUAD;

typedef struct _OBJECT_CREATE_INFORMATION {
	ULONG Attributes;
	PVOID RootDirectory;
	CHAR ProbeMode;
	ULONG PagedPoolCharge;
	ULONG NonPagedPoolCharge;
	ULONG SecurityDescriptorCharge;
	PVOID SecurityDescriptor;
	PSECURITY_QUALITY_OF_SERVICE SecurityQos;
	SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;

typedef enum _POOL_TYPE {
	NonPagedPool = 0,
	NonPagedPoolExecute = 0,
	PagedPool = 1,
	NonPagedPoolMustSucceed = 2,
	DontUseThisType = 3,
	NonPagedPoolCacheAligned = 4,
	PagedPoolCacheAligned = 5,
	NonPagedPoolCacheAlignedMustS = 6,
	MaxPoolType = 7,
	NonPagedPoolBase = 0,
	NonPagedPoolBaseMustSucceed = 2,
	NonPagedPoolBaseCacheAligned = 4,
	NonPagedPoolBaseCacheAlignedMustS = 6,
	NonPagedPoolSession = 32,
	PagedPoolSession = 33,
	NonPagedPoolMustSucceedSession = 34,
	DontUseThisTypeSession = 35,
	NonPagedPoolCacheAlignedSession = 36,
	PagedPoolCacheAlignedSession = 37,
	NonPagedPoolCacheAlignedMustSSession = 38,
	NonPagedPoolNx = 512,
	NonPagedPoolNxCacheAligned = 516,
	NonPagedPoolSessionNx = 544
} POOL_TYPE;

typedef struct _OBJECT_TYPE_INITIALIZER_V1 {
	USHORT          Length;
	BOOLEAN         UseDefaultObject;
	BOOLEAN         Reserved1;
	ULONG           InvalidAttributes;
	GENERIC_MAPPING GenericMapping;
	ACCESS_MASK     ValidAccessMask;
	BOOLEAN         SecurityRequired;
	BOOLEAN         MaintainHandleCount;
	BOOLEAN         MaintainTypeList;
	UCHAR           Reserved2;
	BOOLEAN         PagedPool;
	ULONG           DefaultPagedPoolCharge;
	ULONG           DefaultNonPagedPoolCharge;
	PVOID           DumpProcedure;
	PVOID           OpenProcedure;
	PVOID           CloseProcedure;
	PVOID           DeleteProcedure;
	PVOID           ParseProcedure;
	PVOID           SecurityProcedure;
	PVOID           QueryNameProcedure;
	PVOID           OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER_V1, *POBJECT_TYPE_INITIALIZER_V1;

typedef struct _OBJECT_TYPE_INITIALIZER_V2 {// Size=120
	USHORT Length; // Size=2 Offset=0
	UCHAR ObjectTypeFlags; // Size=1 Offset=2
	ULONG ObjectTypeCode; // Size=4 Offset=4
	ULONG InvalidAttributes; // Size=4 Offset=8
	GENERIC_MAPPING GenericMapping; // Size=16 Offset=12
	ULONG ValidAccessMask; // Size=4 Offset=28
	ULONG RetainAccess; // Size=4 Offset=32
	POOL_TYPE PoolType; // Size=4 Offset=36
	ULONG DefaultPagedPoolCharge; // Size=4 Offset=40
	ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44
	PVOID DumpProcedure; // Size=8 Offset=48
	PVOID OpenProcedure; // Size=8 Offset=56
	PVOID CloseProcedure; // Size=8 Offset=64
	PVOID DeleteProcedure; // Size=8 Offset=72
	PVOID ParseProcedure; // Size=8 Offset=80
	PVOID SecurityProcedure; // Size=8 Offset=88
	PVOID QueryNameProcedure; // Size=8 Offset=96
	PVOID OkayToCloseProcedure; // Size=8 Offset=104
} OBJECT_TYPE_INITIALIZER_V2, *POBJECT_TYPE_INITIALIZER_V2;

typedef struct _OBJECT_TYPE_INITIALIZER_V3 {// Size=120
	USHORT Length; // Size=2 Offset=0
	UCHAR ObjectTypeFlags; // Size=1 Offset=2
	ULONG ObjectTypeCode; // Size=4 Offset=4
	ULONG InvalidAttributes; // Size=4 Offset=8
	GENERIC_MAPPING GenericMapping; // Size=16 Offset=12
	ULONG ValidAccessMask; // Size=4 Offset=28
	ULONG RetainAccess; // Size=4 Offset=32
	POOL_TYPE PoolType; // Size=4 Offset=36
	ULONG DefaultPagedPoolCharge; // Size=4 Offset=40
	ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44
	PVOID DumpProcedure; // Size=8 Offset=48
	PVOID OpenProcedure; // Size=8 Offset=56
	PVOID CloseProcedure; // Size=8 Offset=64
	PVOID DeleteProcedure; // Size=8 Offset=72
	PVOID ParseProcedure; // Size=8 Offset=80
	PVOID SecurityProcedure; // Size=8 Offset=88
	PVOID QueryNameProcedure; // Size=8 Offset=96
	PVOID OkayToCloseProcedure; // Size=8 Offset=104
	ULONG WaitObjectFlagMask; // Size=4 Offset=112
	USHORT WaitObjectFlagOffset; // Size=2 Offset=116
	USHORT WaitObjectPointerOffset; // Size=2 Offset=118
} OBJECT_TYPE_INITIALIZER_V3, *POBJECT_TYPE_INITIALIZER_V3;

typedef struct _OBJECT_TYPE_INITIALIZER {// Size=120
	USHORT Length; // Size=2 Offset=0
	UCHAR ObjectTypeFlags; // Size=1 Offset=2
	ULONG ObjectTypeCode; // Size=4 Offset=4
	ULONG InvalidAttributes; // Size=4 Offset=8
	GENERIC_MAPPING GenericMapping; // Size=16 Offset=12
	ULONG ValidAccessMask; // Size=4 Offset=28
	ULONG RetainAccess; // Size=4 Offset=32
	POOL_TYPE PoolType; // Size=4 Offset=36
	ULONG DefaultPagedPoolCharge; // Size=4 Offset=40
	ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44
	PVOID DumpProcedure; // Size=8 Offset=48
	PVOID OpenProcedure; // Size=8 Offset=56
	PVOID CloseProcedure; // Size=8 Offset=64
	PVOID DeleteProcedure; // Size=8 Offset=72
	PVOID ParseProcedure; // Size=8 Offset=80
	PVOID SecurityProcedure; // Size=8 Offset=88
	PVOID QueryNameProcedure; // Size=8 Offset=96
	PVOID OkayToCloseProcedure; // Size=8 Offset=104
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

typedef struct _OBJECT_TYPE_V2 {// Size=216
	LIST_ENTRY TypeList; // Size=16 Offset=0
	UNICODE_STRING Name; // Size=16 Offset=16
	PVOID DefaultObject; // Size=8 Offset=32
	UCHAR Index; // Size=1 Offset=40
	ULONG TotalNumberOfObjects; // Size=4 Offset=44
	ULONG TotalNumberOfHandles; // Size=4 Offset=48
	ULONG HighWaterNumberOfObjects; // Size=4 Offset=52
	ULONG HighWaterNumberOfHandles; // Size=4 Offset=56
	OBJECT_TYPE_INITIALIZER_V2 TypeInfo;
	EX_PUSH_LOCK TypeLock;
	ULONG Key;
	LIST_ENTRY CallbackList;
} OBJECT_TYPE_V2, *POBJECT_TYPE_V2;

typedef struct _OBJECT_TYPE_V3 {// Size=216
	LIST_ENTRY TypeList; // Size=16 Offset=0
	UNICODE_STRING Name; // Size=16 Offset=16
	PVOID DefaultObject; // Size=8 Offset=32
	UCHAR Index; // Size=1 Offset=40
	ULONG TotalNumberOfObjects; // Size=4 Offset=44
	ULONG TotalNumberOfHandles; // Size=4 Offset=48
	ULONG HighWaterNumberOfObjects; // Size=4 Offset=52
	ULONG HighWaterNumberOfHandles; // Size=4 Offset=56
	OBJECT_TYPE_INITIALIZER_V3 TypeInfo;
	EX_PUSH_LOCK TypeLock;
	ULONG Key;
	LIST_ENTRY CallbackList;
} OBJECT_TYPE_V3, *POBJECT_TYPE_V3;

typedef struct _OBJECT_TYPE_COMPATIBLE {
	LIST_ENTRY TypeList;
	UNICODE_STRING Name;
	PVOID DefaultObject;
	UCHAR Index;
	ULONG TotalNumberOfObjects;
	ULONG TotalNumberOfHandles;
	ULONG HighWaterNumberOfObjects;
	ULONG HighWaterNumberOfHandles;
	OBJECT_TYPE_INITIALIZER_V2 TypeInfo;
} OBJECT_TYPE_COMPATIBLE, *POBJECT_TYPE_COMPATIBLE;

/*
** brand new header starting from 6.1
*/

typedef struct _OBJECT_HEADER {
	LONG PointerCount;
	union
	{
		LONG HandleCount;
		PVOID NextToFree;
	};
	EX_PUSH_LOCK Lock;
	UCHAR TypeIndex;
	UCHAR TraceFlags;
	UCHAR InfoMask;
	UCHAR Flags;
	union
	{
		POBJECT_CREATE_INFORMATION ObjectCreateInfo;
		PVOID QuotaBlockCharged;
	};
	PVOID SecurityDescriptor;
	QUAD Body;
} OBJECT_HEADER, *POBJECT_HEADER;

#define OBJECT_TO_OBJECT_HEADER(obj) \
    CONTAINING_RECORD( (obj), OBJECT_HEADER, Body )

/*
** OBJECT MANAGER END
*/

/*
* WDM START
*/
#define TIMER_TOLERABLE_DELAY_BITS      6
#define TIMER_EXPIRED_INDEX_BITS        6
#define TIMER_PROCESSOR_INDEX_BITS      5

typedef struct _DISPATCHER_HEADER {
	union {
		union {
			volatile LONG Lock;
			LONG LockNV;
		} DUMMYUNIONNAME;

		struct {                            // Events, Semaphores, Gates, etc.
			UCHAR Type;                     // All (accessible via KOBJECT_TYPE)
			UCHAR Signalling;
			UCHAR Size;
			UCHAR Reserved1;
		} DUMMYSTRUCTNAME;

		struct {                            // Timer
			UCHAR TimerType;
			union {
				UCHAR TimerControlFlags;
				struct {
					UCHAR Absolute : 1;
					UCHAR Wake : 1;
					UCHAR EncodedTolerableDelay : TIMER_TOLERABLE_DELAY_BITS;
				} DUMMYSTRUCTNAME;
			};

			UCHAR Hand;
			union {
				UCHAR TimerMiscFlags;
				struct {

#if !defined(KENCODED_TIMER_PROCESSOR)

					UCHAR Index : TIMER_EXPIRED_INDEX_BITS;

#else

					UCHAR Index : 1;
					UCHAR Processor : TIMER_PROCESSOR_INDEX_BITS;

#endif

					UCHAR Inserted : 1;
					volatile UCHAR Expired : 1;
				} DUMMYSTRUCTNAME;
			} DUMMYUNIONNAME;
		} DUMMYSTRUCTNAME2;

		struct {                            // Timer2
			UCHAR Timer2Type;
			union {
				UCHAR Timer2Flags;
				struct {
					UCHAR Timer2Inserted : 1;
					UCHAR Timer2Expiring : 1;
					UCHAR Timer2CancelPending : 1;
					UCHAR Timer2SetPending : 1;
					UCHAR Timer2Running : 1;
					UCHAR Timer2Disabled : 1;
					UCHAR Timer2ReservedFlags : 2;
				} DUMMYSTRUCTNAME;
			} DUMMYUNIONNAME;

			UCHAR Timer2Reserved1;
			UCHAR Timer2Reserved2;
		} DUMMYSTRUCTNAME3;

		struct {                            // Queue
			UCHAR QueueType;
			union {
				UCHAR QueueControlFlags;
				struct {
					UCHAR Abandoned : 1;
					UCHAR DisableIncrement : 1;
					UCHAR QueueReservedControlFlags : 6;
				} DUMMYSTRUCTNAME;
			} DUMMYUNIONNAME;

			UCHAR QueueSize;
			UCHAR QueueReserved;
		} DUMMYSTRUCTNAME4;

		struct {                            // Thread
			UCHAR ThreadType;
			UCHAR ThreadReserved;
			union {
				UCHAR ThreadControlFlags;
				struct {
					UCHAR CycleProfiling : 1;
					UCHAR CounterProfiling : 1;
					UCHAR GroupScheduling : 1;
					UCHAR AffinitySet : 1;
					UCHAR ThreadReservedControlFlags : 4;
				} DUMMYSTRUCTNAME;
			} DUMMYUNIONNAME;

			union {
				UCHAR DebugActive;

#if !defined(_X86_)

				struct {
					BOOLEAN ActiveDR7 : 1;
					BOOLEAN Instrumented : 1;
					BOOLEAN Minimal : 1;
					BOOLEAN Reserved4 : 3;
					BOOLEAN UmsScheduled : 1;
					BOOLEAN UmsPrimary : 1;
				} DUMMYSTRUCTNAME;

#endif

			} DUMMYUNIONNAME2;
		} DUMMYSTRUCTNAME5;

		struct {                         // Mutant
			UCHAR MutantType;
			UCHAR MutantSize;
			BOOLEAN DpcActive;
			UCHAR MutantReserved;
		} DUMMYSTRUCTNAME6;
	} DUMMYUNIONNAME;

	LONG SignalState;                   // Object lock
	LIST_ENTRY WaitListHead;            // Object lock
} DISPATCHER_HEADER, *PDISPATCHER_HEADER;

typedef struct _KEVENT {
	DISPATCHER_HEADER Header;
} KEVENT, *PKEVENT, *PRKEVENT;

typedef struct _KMUTANT {
	DISPATCHER_HEADER Header;
	LIST_ENTRY MutantListEntry;
	struct _KTHREAD *OwnerThread;
	BOOLEAN Abandoned;
	UCHAR ApcDisable;
} KMUTANT, *PKMUTANT, *PRKMUTANT, KMUTEX, *PKMUTEX, *PRKMUTEX;

typedef struct _KSEMAPHORE {
	DISPATCHER_HEADER Header;
	LONG Limit;
} KSEMAPHORE, *PKSEMAPHORE, *PRKSEMAPHORE;

typedef struct _KTIMER {
	DISPATCHER_HEADER Header;
	ULARGE_INTEGER DueTime;
	LIST_ENTRY TimerListEntry;
	struct _KDPC *Dpc;
	ULONG Processor;
	LONG Period;
} KTIMER, *PKTIMER, *PRKTIMER;

typedef struct _KDEVICE_QUEUE_ENTRY {
	LIST_ENTRY DeviceListEntry;
	ULONG SortKey;
	BOOLEAN Inserted;
} KDEVICE_QUEUE_ENTRY, *PKDEVICE_QUEUE_ENTRY, *PRKDEVICE_QUEUE_ENTRY;

typedef enum _KDPC_IMPORTANCE {
	LowImportance,
	MediumImportance,
	HighImportance
} KDPC_IMPORTANCE;

typedef struct _KDPC {
	union {
		ULONG TargetInfoAsUlong;
		struct {
			UCHAR Type;
			UCHAR Importance;
			volatile USHORT Number;
		} DUMMYSTRUCTNAME;
	} DUMMYUNIONNAME;

	SINGLE_LIST_ENTRY DpcListEntry;
	KAFFINITY ProcessorHistory;
	PVOID DeferredRoutine;
	PVOID DeferredContext;
	PVOID SystemArgument1;
	PVOID SystemArgument2;
	__volatile PVOID DpcData;
} KDPC, *PKDPC, *PRKDPC;

typedef struct _WAIT_CONTEXT_BLOCK {
	union {
		KDEVICE_QUEUE_ENTRY WaitQueueEntry;
		struct {
			LIST_ENTRY DmaWaitEntry;
			ULONG NumberOfChannels;
			ULONG SyncCallback : 1;
			ULONG DmaContext : 1;
			ULONG Reserved : 30;
		};
	};
	PVOID DeviceRoutine;
	PVOID DeviceContext;
	ULONG NumberOfMapRegisters;
	PVOID DeviceObject;
	PVOID CurrentIrp;
	PKDPC BufferChainingDpc;
} WAIT_CONTEXT_BLOCK, *PWAIT_CONTEXT_BLOCK;

#define MAXIMUM_VOLUME_LABEL_LENGTH  (32 * sizeof(WCHAR)) // 32 characters

typedef struct _VPB {
	CSHORT Type;
	CSHORT Size;
	USHORT Flags;
	USHORT VolumeLabelLength; // in bytes
	struct _DEVICE_OBJECT *DeviceObject;
	struct _DEVICE_OBJECT *RealDevice;
	ULONG SerialNumber;
	ULONG ReferenceCount;
	WCHAR VolumeLabel[MAXIMUM_VOLUME_LABEL_LENGTH / sizeof(WCHAR)];
} VPB, *PVPB;

typedef struct _KQUEUE {
	DISPATCHER_HEADER Header;
	LIST_ENTRY EntryListHead;
	ULONG CurrentCount;
	ULONG MaximumCount;
	LIST_ENTRY ThreadListHead;
} KQUEUE, *PKQUEUE;

typedef struct _KDEVICE_QUEUE {
	CSHORT Type;
	CSHORT Size;
	LIST_ENTRY DeviceListHead;
	KSPIN_LOCK Lock;

#if defined(_AMD64_)

	union {
		BOOLEAN Busy;
		struct {
			LONG64 Reserved : 8;
			LONG64 Hint : 56;
		};
	};

#else

	BOOLEAN Busy;

#endif

} KDEVICE_QUEUE, *PKDEVICE_QUEUE, *PRKDEVICE_QUEUE;

enum _KOBJECTS {
	EventNotificationObject = 0x0,
	EventSynchronizationObject = 0x1,
	MutantObject = 0x2,
	ProcessObject = 0x3,
	QueueObject = 0x4,
	SemaphoreObject = 0x5,
	ThreadObject = 0x6,
	GateObject = 0x7,
	TimerNotificationObject = 0x8,
	TimerSynchronizationObject = 0x9,
	Spare2Object = 0xa,
	Spare3Object = 0xb,
	Spare4Object = 0xc,
	Spare5Object = 0xd,
	Spare6Object = 0xe,
	Spare7Object = 0xf,
	Spare8Object = 0x10,
	Spare9Object = 0x11,
	ApcObject = 0x12,
	DpcObject = 0x13,
	DeviceQueueObject = 0x14,
	EventPairObject = 0x15,
	InterruptObject = 0x16,
	ProfileObject = 0x17,
	ThreadedDpcObject = 0x18,
	MaximumKernelObject = 0x19,
};

#define DO_VERIFY_VOLUME                0x00000002      // ntddk nthal ntifs wdm
#define DO_BUFFERED_IO                  0x00000004      // ntddk nthal ntifs wdm
#define DO_EXCLUSIVE                    0x00000008      // ntddk nthal ntifs wdm
#define DO_DIRECT_IO                    0x00000010      // ntddk nthal ntifs wdm
#define DO_MAP_IO_BUFFER                0x00000020      // ntddk nthal ntifs wdm
#define DO_DEVICE_HAS_NAME              0x00000040      // ntddk nthal ntifs
#define DO_DEVICE_INITIALIZING          0x00000080      // ntddk nthal ntifs wdm
#define DO_SYSTEM_BOOT_PARTITION        0x00000100      // ntddk nthal ntifs
#define DO_LONG_TERM_REQUESTS           0x00000200      // ntddk nthal ntifs
#define DO_NEVER_LAST_DEVICE            0x00000400      // ntddk nthal ntifs
#define DO_SHUTDOWN_REGISTERED          0x00000800      // ntddk nthal ntifs wdm
#define DO_BUS_ENUMERATED_DEVICE        0x00001000      // ntddk nthal ntifs wdm
#define DO_POWER_PAGABLE                0x00002000      // ntddk nthal ntifs wdm
#define DO_POWER_INRUSH                 0x00004000      // ntddk nthal ntifs wdm
#define DO_POWER_NOOP                   0x00008000
#define DO_LOW_PRIORITY_FILESYSTEM      0x00010000      // ntddk nthal ntifs
#define DO_XIP                          0x00020000

#define FILE_REMOVABLE_MEDIA                        0x00000001
#define FILE_READ_ONLY_DEVICE                       0x00000002
#define FILE_FLOPPY_DISKETTE                        0x00000004
#define FILE_WRITE_ONCE_MEDIA                       0x00000008
#define FILE_REMOTE_DEVICE                          0x00000010
#define FILE_DEVICE_IS_MOUNTED                      0x00000020
#define FILE_VIRTUAL_VOLUME                         0x00000040
#define FILE_AUTOGENERATED_DEVICE_NAME              0x00000080
#define FILE_DEVICE_SECURE_OPEN                     0x00000100
#define FILE_CHARACTERISTIC_PNP_DEVICE              0x00000800
#define FILE_CHARACTERISTIC_TS_DEVICE               0x00001000
#define FILE_CHARACTERISTIC_WEBDAV_DEVICE           0x00002000
#define FILE_CHARACTERISTIC_CSV                     0x00010000
#define FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL    0x00020000
#define FILE_PORTABLE_DEVICE                        0x00040000

#define FILE_DEVICE_BEEP                0x00000001
#define FILE_DEVICE_CD_ROM              0x00000002
#define FILE_DEVICE_CD_ROM_FILE_SYSTEM  0x00000003
#define FILE_DEVICE_CONTROLLER          0x00000004
#define FILE_DEVICE_DATALINK            0x00000005
#define FILE_DEVICE_DFS                 0x00000006
#define FILE_DEVICE_DISK                0x00000007
#define FILE_DEVICE_DISK_FILE_SYSTEM    0x00000008
#define FILE_DEVICE_FILE_SYSTEM         0x00000009
#define FILE_DEVICE_INPORT_PORT         0x0000000a
#define FILE_DEVICE_KEYBOARD            0x0000000b
#define FILE_DEVICE_MAILSLOT            0x0000000c
#define FILE_DEVICE_MIDI_IN             0x0000000d
#define FILE_DEVICE_MIDI_OUT            0x0000000e
#define FILE_DEVICE_MOUSE               0x0000000f
#define FILE_DEVICE_MULTI_UNC_PROVIDER  0x00000010
#define FILE_DEVICE_NAMED_PIPE          0x00000011
#define FILE_DEVICE_NETWORK             0x00000012
#define FILE_DEVICE_NETWORK_BROWSER     0x00000013
#define FILE_DEVICE_NETWORK_FILE_SYSTEM 0x00000014
#define FILE_DEVICE_NULL                0x00000015
#define FILE_DEVICE_PARALLEL_PORT       0x00000016
#define FILE_DEVICE_PHYSICAL_NETCARD    0x00000017
#define FILE_DEVICE_PRINTER             0x00000018
#define FILE_DEVICE_SCANNER             0x00000019
#define FILE_DEVICE_SERIAL_MOUSE_PORT   0x0000001a
#define FILE_DEVICE_SERIAL_PORT         0x0000001b
#define FILE_DEVICE_SCREEN              0x0000001c
#define FILE_DEVICE_SOUND               0x0000001d
#define FILE_DEVICE_STREAMS             0x0000001e
#define FILE_DEVICE_TAPE                0x0000001f
#define FILE_DEVICE_TAPE_FILE_SYSTEM    0x00000020
#define FILE_DEVICE_TRANSPORT           0x00000021
#define FILE_DEVICE_UNKNOWN             0x00000022
#define FILE_DEVICE_VIDEO               0x00000023
#define FILE_DEVICE_VIRTUAL_DISK        0x00000024
#define FILE_DEVICE_WAVE_IN             0x00000025
#define FILE_DEVICE_WAVE_OUT            0x00000026
#define FILE_DEVICE_8042_PORT           0x00000027
#define FILE_DEVICE_NETWORK_REDIRECTOR  0x00000028
#define FILE_DEVICE_BATTERY             0x00000029
#define FILE_DEVICE_BUS_EXTENDER        0x0000002a
#define FILE_DEVICE_MODEM               0x0000002b
#define FILE_DEVICE_VDM                 0x0000002c
#define FILE_DEVICE_MASS_STORAGE        0x0000002d
#define FILE_DEVICE_SMB                 0x0000002e
#define FILE_DEVICE_KS                  0x0000002f
#define FILE_DEVICE_CHANGER             0x00000030
#define FILE_DEVICE_SMARTCARD           0x00000031
#define FILE_DEVICE_ACPI                0x00000032
#define FILE_DEVICE_DVD                 0x00000033
#define FILE_DEVICE_FULLSCREEN_VIDEO    0x00000034
#define FILE_DEVICE_DFS_FILE_SYSTEM     0x00000035
#define FILE_DEVICE_DFS_VOLUME          0x00000036
#define FILE_DEVICE_SERENUM             0x00000037
#define FILE_DEVICE_TERMSRV             0x00000038
#define FILE_DEVICE_KSEC                0x00000039
#define FILE_DEVICE_FIPS                0x0000003A
#define FILE_DEVICE_INFINIBAND          0x0000003B
#define FILE_DEVICE_VMBUS               0x0000003E
#define FILE_DEVICE_CRYPT_PROVIDER      0x0000003F
#define FILE_DEVICE_WPD                 0x00000040
#define FILE_DEVICE_BLUETOOTH           0x00000041
#define FILE_DEVICE_MT_COMPOSITE        0x00000042
#define FILE_DEVICE_MT_TRANSPORT        0x00000043
#define FILE_DEVICE_BIOMETRIC           0x00000044
#define FILE_DEVICE_PMI                 0x00000045
#define FILE_DEVICE_EHSTOR              0x00000046
#define FILE_DEVICE_DEVAPI              0x00000047
#define FILE_DEVICE_GPIO                0x00000048
#define FILE_DEVICE_USBEX               0x00000049
#define FILE_DEVICE_CONSOLE             0x00000050
#define FILE_DEVICE_NFP                 0x00000051
#define FILE_DEVICE_SYSENV              0x00000052
#define FILE_DEVICE_VIRTUAL_BLOCK       0x00000053
#define FILE_DEVICE_POINT_OF_SERVICE    0x00000054

#define FILE_BYTE_ALIGNMENT             0x00000000
#define FILE_WORD_ALIGNMENT             0x00000001
#define FILE_LONG_ALIGNMENT             0x00000003
#define FILE_QUAD_ALIGNMENT             0x00000007
#define FILE_OCTA_ALIGNMENT             0x0000000f
#define FILE_32_BYTE_ALIGNMENT          0x0000001f
#define FILE_64_BYTE_ALIGNMENT          0x0000003f
#define FILE_128_BYTE_ALIGNMENT         0x0000007f
#define FILE_256_BYTE_ALIGNMENT         0x000000ff
#define FILE_512_BYTE_ALIGNMENT         0x000001ff

#define DPC_NORMAL 0
#define DPC_THREADED 1

typedef struct _DEVICE_OBJECT {
	CSHORT                      Type;
	USHORT                      Size;
	LONG                        ReferenceCount;
	struct _DRIVER_OBJECT  *DriverObject;
	struct _DEVICE_OBJECT  *NextDevice;
	struct _DEVICE_OBJECT  *AttachedDevice;
	struct _IRP  *CurrentIrp;
	PVOID		                Timer;
	ULONG                       Flags;
	ULONG                       Characteristics;
	__volatile PVPB             Vpb;
	PVOID                       DeviceExtension;
	DEVICE_TYPE                 DeviceType;
	CCHAR                       StackSize;
	union {
		LIST_ENTRY         ListEntry;
		WAIT_CONTEXT_BLOCK Wcb;
	} Queue;
	ULONG                       AlignmentRequirement;
	KDEVICE_QUEUE               DeviceQueue;
	KDPC                        Dpc;
	ULONG                       ActiveThreadCount;
	PSECURITY_DESCRIPTOR        SecurityDescriptor;
	KEVENT                      DeviceLock;
	USHORT                      SectorSize;
	USHORT                      Spare1;
	struct _DEVOBJ_EXTENSION  *  DeviceObjectExtension;
	PVOID                       Reserved;
} DEVICE_OBJECT, *PDEVICE_OBJECT;

typedef struct _DEVOBJ_EXTENSION {

	CSHORT          Type;
	USHORT          Size;

	//
	// Public part of the DeviceObjectExtension structure
	//

	PDEVICE_OBJECT  DeviceObject;               // owning device object

	// end_ntddk end_nthal end_ntifs end_wdm end_ntosp

	//
	// Universal Power Data - all device objects must have this
	//

	ULONG           PowerFlags;             // see ntos\po\pop.h
	// WARNING: Access via PO macros
	// and with PO locking rules ONLY.

	//
	// Pointer to the non-universal power data
	//  Power data that only some device objects need is stored in the
	//  device object power extension -> DOPE
	//  see po.h
	//

	struct          _DEVICE_OBJECT_POWER_EXTENSION  *Dope;

	//
	// power state information
	//

	//
	// Device object extension flags.  Protected by the IopDatabaseLock.
	//

	ULONG ExtensionFlags;

	//
	// PnP manager fields
	//

	PVOID           DeviceNode;

	//
	// AttachedTo is a pointer to the device object that this device
	// object is attached to.  The attachment chain is now doubly
	// linked: this pointer and DeviceObject->AttachedDevice provide the
	// linkage.
	//

	PDEVICE_OBJECT  AttachedTo;

	//
	// The next two fields are used to prevent recursion in IoStartNextPacket
	// interfaces.
	//

	LONG           StartIoCount;       // Used to keep track of number of pending start ios.
	LONG           StartIoKey;         // Next startio key
	ULONG          StartIoFlags;       // Start Io Flags. Need a separate flag so that it can be accessed without locks
	PVPB           Vpb;                // If not NULL contains the VPB of the mounted volume.
	// Set in the filesystem's volume device object.
	// This is a reverse VPB pointer.

	// begin_ntddk begin_wdm begin_nthal begin_ntifs begin_ntosp

} DEVOBJ_EXTENSION, *PDEVOBJ_EXTENSION;

typedef struct _FAST_IO_DISPATCH {
	ULONG SizeOfFastIoDispatch;
	PVOID FastIoCheckIfPossible;
	PVOID FastIoRead;
	PVOID FastIoWrite;
	PVOID FastIoQueryBasicInfo;
	PVOID FastIoQueryStandardInfo;
	PVOID FastIoLock;
	PVOID FastIoUnlockSingle;
	PVOID FastIoUnlockAll;
	PVOID FastIoUnlockAllByKey;
	PVOID FastIoDeviceControl;
	PVOID AcquireFileForNtCreateSection;
	PVOID ReleaseFileForNtCreateSection;
	PVOID FastIoDetachDevice;
	PVOID FastIoQueryNetworkOpenInfo;
	PVOID AcquireForModWrite;
	PVOID MdlRead;
	PVOID MdlReadComplete;
	PVOID PrepareMdlWrite;
	PVOID MdlWriteComplete;
	PVOID FastIoReadCompressed;
	PVOID FastIoWriteCompressed;
	PVOID MdlReadCompleteCompressed;
	PVOID MdlWriteCompleteCompressed;
	PVOID FastIoQueryOpen;
	PVOID ReleaseForModWrite;
	PVOID AcquireForCcFlush;
	PVOID ReleaseForCcFlush;
} FAST_IO_DISPATCH, *PFAST_IO_DISPATCH;

#define IO_TYPE_ADAPTER                 0x00000001
#define IO_TYPE_CONTROLLER              0x00000002
#define IO_TYPE_DEVICE                  0x00000003
#define IO_TYPE_DRIVER                  0x00000004
#define IO_TYPE_FILE                    0x00000005
#define IO_TYPE_IRP                     0x00000006
#define IO_TYPE_MASTER_ADAPTER          0x00000007
#define IO_TYPE_OPEN_PACKET             0x00000008
#define IO_TYPE_TIMER                   0x00000009
#define IO_TYPE_VPB                     0x0000000a
#define IO_TYPE_ERROR_LOG               0x0000000b
#define IO_TYPE_ERROR_MESSAGE           0x0000000c
#define IO_TYPE_DEVICE_OBJECT_EXTENSION 0x0000000d

#define IRP_MJ_CREATE                   0x00
#define IRP_MJ_CREATE_NAMED_PIPE        0x01
#define IRP_MJ_CLOSE                    0x02
#define IRP_MJ_READ                     0x03
#define IRP_MJ_WRITE                    0x04
#define IRP_MJ_QUERY_INFORMATION        0x05
#define IRP_MJ_SET_INFORMATION          0x06
#define IRP_MJ_QUERY_EA                 0x07
#define IRP_MJ_SET_EA                   0x08
#define IRP_MJ_FLUSH_BUFFERS            0x09
#define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a
#define IRP_MJ_SET_VOLUME_INFORMATION   0x0b
#define IRP_MJ_DIRECTORY_CONTROL        0x0c
#define IRP_MJ_FILE_SYSTEM_CONTROL      0x0d
#define IRP_MJ_DEVICE_CONTROL           0x0e
#define IRP_MJ_INTERNAL_DEVICE_CONTROL  0x0f
#define IRP_MJ_SHUTDOWN                 0x10
#define IRP_MJ_LOCK_CONTROL             0x11
#define IRP_MJ_CLEANUP                  0x12
#define IRP_MJ_CREATE_MAILSLOT          0x13
#define IRP_MJ_QUERY_SECURITY           0x14
#define IRP_MJ_SET_SECURITY             0x15
#define IRP_MJ_POWER                    0x16
#define IRP_MJ_SYSTEM_CONTROL           0x17
#define IRP_MJ_DEVICE_CHANGE            0x18
#define IRP_MJ_QUERY_QUOTA              0x19
#define IRP_MJ_SET_QUOTA                0x1a
#define IRP_MJ_PNP                      0x1b
#define IRP_MJ_PNP_POWER                IRP_MJ_PNP      
#define IRP_MJ_MAXIMUM_FUNCTION         0x1b

typedef struct _DRIVER_EXTENSION {

	//
	// Back pointer to Driver Object
	//

	struct _DRIVER_OBJECT *DriverObject;

	//
	// The AddDevice entry point is called by the Plug & Play manager
	// to inform the driver when a new device instance arrives that this
	// driver must control.
	//

	PVOID AddDevice;

	//
	// The count field is used to count the number of times the driver has
	// had its registered reinitialization routine invoked.
	//

	ULONG Count;

	//
	// The service name field is used by the pnp manager to determine
	// where the driver related info is stored in the registry.
	//

	UNICODE_STRING ServiceKeyName;

} DRIVER_EXTENSION, *PDRIVER_EXTENSION;

#define DRVO_UNLOAD_INVOKED             0x00000001
#define DRVO_LEGACY_DRIVER              0x00000002
#define DRVO_BUILTIN_DRIVER             0x00000004    // Driver objects for Hal, PnP Mgr
#define DRVO_REINIT_REGISTERED          0x00000008
#define DRVO_INITIALIZED                0x00000010
#define DRVO_BOOTREINIT_REGISTERED      0x00000020
#define DRVO_LEGACY_RESOURCES           0x00000040
// end_ntddk end_nthal end_ntifs end_ntosp
#define DRVO_BASE_FILESYSTEM_DRIVER     0x00000080   // A driver that is at the bottom of the filesystem stack.
// begin_ntddk begin_nthal begin_ntifs begin_ntosp

typedef struct _DRIVER_OBJECT {
	CSHORT Type;
	CSHORT Size;

	//
	// The following links all of the devices created by a single driver
	// together on a list, and the Flags word provides an extensible flag
	// location for driver objects.
	//

	PDEVICE_OBJECT DeviceObject;
	ULONG Flags;

	//
	// The following section describes where the driver is loaded.  The count
	// field is used to count the number of times the driver has had its
	// registered reinitialization routine invoked.
	//

	PVOID DriverStart;
	ULONG DriverSize;
	PVOID DriverSection; //PLDR_DATA_TABLE_ENTRY
	PDRIVER_EXTENSION DriverExtension;

	//
	// The driver name field is used by the error log thread
	// determine the name of the driver that an I/O request is/was bound.
	//

	UNICODE_STRING DriverName;

	//
	// The following section is for registry support.  Thise is a pointer
	// to the path to the hardware information in the registry
	//

	PUNICODE_STRING HardwareDatabase;

	//
	// The following section contains the optional pointer to an array of
	// alternate entry points to a driver for "fast I/O" support.  Fast I/O
	// is performed by invoking the driver routine directly with separate
	// parameters, rather than using the standard IRP call mechanism.  Note
	// that these functions may only be used for synchronous I/O, and when
	// the file is cached.
	//

	PFAST_IO_DISPATCH FastIoDispatch;

	//
	// The following section describes the entry points to this particular
	// driver.  Note that the major function dispatch table must be the last
	// field in the object so that it remains extensible.
	//

	PVOID DriverInit;
	PVOID DriverStartIo;
	PVOID DriverUnload;
	PVOID MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];

} DRIVER_OBJECT;
typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT;

typedef struct _LDR_RESOURCE_INFO {
	ULONG_PTR Type;
	ULONG_PTR Name;
	ULONG Lang;
} LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO;

typedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE {
	LIST_ENTRY InLoadOrderLinks;
	LIST_ENTRY InMemoryOrderLinks;
	union
	{
		LIST_ENTRY InInitializationOrderLinks;
		LIST_ENTRY InProgressLinks;
	} DUMMYUNION0;
	PVOID DllBase;
	PVOID EntryPoint;
	ULONG SizeOfImage;
	UNICODE_STRING FullDllName;
	UNICODE_STRING BaseDllName;
	ULONG Flags;
	WORD ObsoleteLoadCount;
	WORD TlsIndex;
	union
	{
		LIST_ENTRY HashLinks;
		struct
		{
			PVOID SectionPointer;
			ULONG CheckSum;
		};
	} DUMMYUNION1;
	union
	{
		ULONG TimeDateStamp;
		PVOID LoadedImports;
	} DUMMYUNION2;
	//fields below removed for compatibility
} LDR_DATA_TABLE_ENTRY_COMPATIBLE, *PLDR_DATA_TABLE_ENTRY_COMPATIBLE;
typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY;
typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE *PLDR_DATA_TABLE_ENTRY;
typedef LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY;

typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA {
    ULONG Flags;                    //Reserved.
    PCUNICODE_STRING FullDllName;   //The full path name of the DLL module.
    PCUNICODE_STRING BaseDllName;   //The base file name of the DLL module.
    PVOID DllBase;                  //A pointer to the base address for the DLL in memory.
    ULONG SizeOfImage;              //The size of the DLL image, in bytes.
} LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA;

typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA {
    ULONG Flags;                    //Reserved.
    PCUNICODE_STRING FullDllName;   //The full path name of the DLL module.
    PCUNICODE_STRING BaseDllName;   //The base file name of the DLL module.
    PVOID DllBase;                  //A pointer to the base address for the DLL in memory.
    ULONG SizeOfImage;              //The size of the DLL image, in bytes.
} LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA;

typedef union _LDR_DLL_NOTIFICATION_DATA {
    LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
    LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
} LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA;
typedef const LDR_DLL_NOTIFICATION_DATA *PCLDR_DLL_NOTIFICATION_DATA;

#define LDR_DLL_NOTIFICATION_REASON_LOADED   1
#define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2

/*
* WDM END
*/

/*
*  NTQSI Modules START
*/

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
	HANDLE Section;
	PVOID MappedBase;
	PVOID ImageBase;
	ULONG ImageSize;
	ULONG Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT OffsetToFileName;
	UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {
	ULONG NumberOfModules;
	RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

/*
*	NTQSI Modules END
*/

/*
** Virtual Memory START
*/

typedef enum _MEMORY_INFORMATION_CLASS
{
	MemoryBasicInformation,
	MemoryWorkingSetInformation,
	MemoryMappedFilenameInformation,
	MemoryRegionInformation,
	MemoryWorkingSetExInformation
} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS;

typedef struct _MEMORY_REGION_INFORMATION {
	PVOID AllocationBase;
	ULONG AllocationProtect;
	ULONG RegionType;
	SIZE_T RegionSize;
} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION;

/*
** Virtual Memory END
*/

/*
** System Firmware START
*/

typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION
{
	SystemFirmwareTable_Enumerate,
	SystemFirmwareTable_Get
} SYSTEM_FIRMWARE_TABLE_ACTION, *PSYSTEM_FIRMWARE_TABLE_ACTION;

typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION {
	ULONG ProviderSignature;
	SYSTEM_FIRMWARE_TABLE_ACTION Action;
	ULONG TableID;
	ULONG TableBufferLength;
	UCHAR TableBuffer[ANYSIZE_ARRAY];
} SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION;

/*
** System Firmware END
*/

//
//  PEB/TEB
//
#define GDI_HANDLE_BUFFER_SIZE32  34
#define GDI_HANDLE_BUFFER_SIZE64  60

#if !defined(_M_X64)
#define GDI_HANDLE_BUFFER_SIZE      GDI_HANDLE_BUFFER_SIZE32
#else
#define GDI_HANDLE_BUFFER_SIZE      GDI_HANDLE_BUFFER_SIZE64
#endif

typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];

#define RTL_MAX_DRIVE_LETTERS 32
#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001

#define GDI_MAX_HANDLE_COUNT 0x4000

// 32-bit definitions
typedef struct _STRING32 {
	USHORT Length;
	USHORT MaximumLength;
	ULONG Buffer;
} STRING32;
typedef STRING32 *PSTRING32;

typedef STRING32 UNICODE_STRING32;

#if (_MSC_VER < 1300) && !defined(_WINDOWS_)
typedef struct LIST_ENTRY32 {
	DWORD Flink;
	DWORD Blink;
} LIST_ENTRY32;
typedef LIST_ENTRY32 *PLIST_ENTRY32;

typedef struct LIST_ENTRY64 {
	ULONGLONG Flink;
	ULONGLONG Blink;
} LIST_ENTRY64;
typedef LIST_ENTRY64 *PLIST_ENTRY64;
#endif

#define WOW64_POINTER(Type) ULONG

typedef struct _PEB_LDR_DATA32 {
	ULONG Length;
	BOOLEAN Initialized;
	WOW64_POINTER(HANDLE) SsHandle;
	LIST_ENTRY32 InLoadOrderModuleList;
	LIST_ENTRY32 InMemoryOrderModuleList;
	LIST_ENTRY32 InInitializationOrderModuleList;
	WOW64_POINTER(PVOID) EntryInProgress;
	BOOLEAN ShutdownInProgress;
	WOW64_POINTER(HANDLE) ShutdownThreadId;
} PEB_LDR_DATA32, *PPEB_LDR_DATA32;

#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP32 FIELD_OFFSET( LDR_DATA_TABLE_ENTRY32, ForwarderLinks )

typedef struct _LDR_DATA_TABLE_ENTRY32 {
	LIST_ENTRY32 InLoadOrderLinks;
	LIST_ENTRY32 InMemoryOrderLinks;
	LIST_ENTRY32 InInitializationOrderLinks;
	WOW64_POINTER(PVOID) DllBase;
	WOW64_POINTER(PVOID) EntryPoint;
	ULONG SizeOfImage;
	UNICODE_STRING32 FullDllName;
	UNICODE_STRING32 BaseDllName;
	ULONG Flags;
	USHORT LoadCount;
	USHORT TlsIndex;
	union
	{
		LIST_ENTRY32 HashLinks;
		struct
		{
			WOW64_POINTER(PVOID) SectionPointer;
			ULONG CheckSum;
		};
	};
	union
	{
		ULONG TimeDateStamp;
		WOW64_POINTER(PVOID) LoadedImports;
	};
	WOW64_POINTER(PVOID) EntryPointActivationContext;
	WOW64_POINTER(PVOID) PatchInformation;
	LIST_ENTRY32 ForwarderLinks;
	LIST_ENTRY32 ServiceTagLinks;
	LIST_ENTRY32 StaticLinks;
	WOW64_POINTER(PVOID) ContextInformation;
	WOW64_POINTER(ULONG_PTR) OriginalBase;
	LARGE_INTEGER LoadTime;
} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;

typedef struct _CURDIR32 {
	UNICODE_STRING32 DosPath;
	WOW64_POINTER(HANDLE) Handle;
} CURDIR32, *PCURDIR32;

typedef struct _RTL_DRIVE_LETTER_CURDIR32 {
	USHORT Flags;
	USHORT Length;
	ULONG TimeStamp;
	STRING32 DosPath;
} RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32;

typedef struct _RTL_USER_PROCESS_PARAMETERS32 {
	ULONG MaximumLength;
	ULONG Length;

	ULONG Flags;
	ULONG DebugFlags;

	WOW64_POINTER(HANDLE) ConsoleHandle;
	ULONG ConsoleFlags;
	WOW64_POINTER(HANDLE) StandardInput;
	WOW64_POINTER(HANDLE) StandardOutput;
	WOW64_POINTER(HANDLE) StandardError;

	CURDIR32 CurrentDirectory;
	UNICODE_STRING32 DllPath;
	UNICODE_STRING32 ImagePathName;
	UNICODE_STRING32 CommandLine;
	WOW64_POINTER(PVOID) Environment;

	ULONG StartingX;
	ULONG StartingY;
	ULONG CountX;
	ULONG CountY;
	ULONG CountCharsX;
	ULONG CountCharsY;
	ULONG FillAttribute;

	ULONG WindowFlags;
	ULONG ShowWindowFlags;
	UNICODE_STRING32 WindowTitle;
	UNICODE_STRING32 DesktopInfo;
	UNICODE_STRING32 ShellInfo;
	UNICODE_STRING32 RuntimeData;
	RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS];

	ULONG EnvironmentSize;
	ULONG EnvironmentVersion;
} RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32;

typedef struct _PEB32 {
	BOOLEAN InheritedAddressSpace;
	BOOLEAN ReadImageFileExecOptions;
	BOOLEAN BeingDebugged;
	union
	{
		BOOLEAN BitField;
		struct
		{
			BOOLEAN ImageUsesLargePages : 1;
			BOOLEAN IsProtectedProcess : 1;
			BOOLEAN IsLegacyProcess : 1;
			BOOLEAN IsImageDynamicallyRelocated : 1;
			BOOLEAN SkipPatchingUser32Forwarders : 1;
			BOOLEAN SpareBits : 3;
		};
	};
	WOW64_POINTER(HANDLE) Mutant;

	WOW64_POINTER(PVOID) ImageBaseAddress;
	WOW64_POINTER(PPEB_LDR_DATA) Ldr;
	WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters;
	WOW64_POINTER(PVOID) SubSystemData;
	WOW64_POINTER(PVOID) ProcessHeap;
	WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock;
	WOW64_POINTER(PVOID) AtlThunkSListPtr;
	WOW64_POINTER(PVOID) IFEOKey;
	union
	{
		ULONG CrossProcessFlags;
		struct
		{
			ULONG ProcessInJob : 1;
			ULONG ProcessInitializing : 1;
			ULONG ProcessUsingVEH : 1;
			ULONG ProcessUsingVCH : 1;
			ULONG ProcessUsingFTH : 1;
			ULONG ReservedBits0 : 27;
		};
		ULONG EnvironmentUpdateCount;
	};
	union
	{
		WOW64_POINTER(PVOID) KernelCallbackTable;
		WOW64_POINTER(PVOID) UserSharedInfoPtr;
	};
	ULONG SystemReserved[1];
	ULONG AtlThunkSListPtr32;
	WOW64_POINTER(PVOID) ApiSetMap;
	ULONG TlsExpansionCounter;
	WOW64_POINTER(PVOID) TlsBitmap;
	ULONG TlsBitmapBits[2];
	WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase;
	WOW64_POINTER(PVOID) HotpatchInformation;
	WOW64_POINTER(PPVOID) ReadOnlyStaticServerData;
	WOW64_POINTER(PVOID) AnsiCodePageData;
	WOW64_POINTER(PVOID) OemCodePageData;
	WOW64_POINTER(PVOID) UnicodeCaseTableData;

	ULONG NumberOfProcessors;
	ULONG NtGlobalFlag;

	LARGE_INTEGER CriticalSectionTimeout;
	WOW64_POINTER(SIZE_T) HeapSegmentReserve;
	WOW64_POINTER(SIZE_T) HeapSegmentCommit;
	WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold;
	WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold;

	ULONG NumberOfHeaps;
	ULONG MaximumNumberOfHeaps;
	WOW64_POINTER(PPVOID) ProcessHeaps;

	WOW64_POINTER(PVOID) GdiSharedHandleTable;
	WOW64_POINTER(PVOID) ProcessStarterHelper;
	ULONG GdiDCAttributeList;

	WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock;

	ULONG OSMajorVersion;
	ULONG OSMinorVersion;
	USHORT OSBuildNumber;
	USHORT OSCSDVersion;
	ULONG OSPlatformId;
	ULONG ImageSubsystem;
	ULONG ImageSubsystemMajorVersion;
	ULONG ImageSubsystemMinorVersion;
	WOW64_POINTER(ULONG_PTR) ImageProcessAffinityMask;
	GDI_HANDLE_BUFFER32 GdiHandleBuffer;
	WOW64_POINTER(PVOID) PostProcessInitRoutine;

	WOW64_POINTER(PVOID) TlsExpansionBitmap;
	ULONG TlsExpansionBitmapBits[32];

	ULONG SessionId;

	// Rest of structure not included.
} PEB32, *PPEB32;

#define GDI_BATCH_BUFFER_SIZE 310

typedef struct _GDI_TEB_BATCH32 {
	ULONG Offset;
	WOW64_POINTER(ULONG_PTR) HDC;
	ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
} GDI_TEB_BATCH32, *PGDI_TEB_BATCH32;

#if (_MSC_VER < 1300) && !defined(_WINDOWS_)
//
// 32 and 64 bit specific version for wow64 and the debugger
//
typedef struct _NT_TIB32 {
	DWORD ExceptionList;
	DWORD StackBase;
	DWORD StackLimit;
	DWORD SubSystemTib;
	union {
		DWORD FiberData;
		DWORD Version;
	};
	DWORD ArbitraryUserPointer;
	DWORD Self;
} NT_TIB32, *PNT_TIB32;

typedef struct _NT_TIB64 {
	DWORD64 ExceptionList;
	DWORD64 StackBase;
	DWORD64 StackLimit;
	DWORD64 SubSystemTib;
	union {
		DWORD64 FiberData;
		DWORD Version;
	};
	DWORD64 ArbitraryUserPointer;
	DWORD64 Self;
} NT_TIB64, *PNT_TIB64;
#endif

typedef struct _TEB32 {
	NT_TIB32 NtTib;

	WOW64_POINTER(PVOID) EnvironmentPointer;
	CLIENT_ID32 ClientId;
	WOW64_POINTER(PVOID) ActiveRpcHandle;
	WOW64_POINTER(PVOID) ThreadLocalStoragePointer;
	WOW64_POINTER(PPEB) ProcessEnvironmentBlock;

	ULONG LastErrorValue;
	ULONG CountOfOwnedCriticalSections;
	WOW64_POINTER(PVOID) CsrClientThread;
	WOW64_POINTER(PVOID) Win32ThreadInfo;
	ULONG User32Reserved[26];
	ULONG UserReserved[5];
	WOW64_POINTER(PVOID) WOW32Reserved;
	LCID CurrentLocale;
	ULONG FpSoftwareStatusRegister;
	WOW64_POINTER(PVOID) SystemReserved1[54];
	NTSTATUS ExceptionCode;
	WOW64_POINTER(PVOID) ActivationContextStackPointer;
	BYTE SpareBytes[36];
	ULONG TxFsContext;

	GDI_TEB_BATCH32 GdiTebBatch;
	CLIENT_ID32 RealClientId;
	WOW64_POINTER(HANDLE) GdiCachedProcessHandle;
	ULONG GdiClientPID;
	ULONG GdiClientTID;
	WOW64_POINTER(PVOID) GdiThreadLocalInfo;
	WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62];
	WOW64_POINTER(PVOID) glDispatchTable[233];
	WOW64_POINTER(ULONG_PTR) glReserved1[29];
	WOW64_POINTER(PVOID) glReserved2;
	WOW64_POINTER(PVOID) glSectionInfo;
	WOW64_POINTER(PVOID) glSection;
	WOW64_POINTER(PVOID) glTable;
	WOW64_POINTER(PVOID) glCurrentRC;
	WOW64_POINTER(PVOID) glContext;

	NTSTATUS LastStatusValue;
	UNICODE_STRING32 StaticUnicodeString;
	WCHAR StaticUnicodeBuffer[261];

	WOW64_POINTER(PVOID) DeallocationStack;
	WOW64_POINTER(PVOID) TlsSlots[64];
	LIST_ENTRY32 TlsLinks;
} TEB32, *PTEB32;

typedef struct _PEB_LDR_DATA {
	ULONG Length;
	BOOLEAN Initialized;
	HANDLE SsHandle;
	LIST_ENTRY InLoadOrderModuleList;
	LIST_ENTRY InMemoryOrderModuleList;
	LIST_ENTRY InInitializationOrderModuleList;
	PVOID EntryInProgress;
	BOOLEAN ShutdownInProgress;
	HANDLE ShutdownThreadId;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _GDI_HANDLE_ENTRY {
	union
	{
		PVOID Object;
		PVOID NextFree;
	};
	union
	{
		struct
		{
			USHORT ProcessId;
			USHORT Lock : 1;
			USHORT Count : 15;
		};
		ULONG Value;
	} Owner;
	USHORT Unique;
	UCHAR Type;
	UCHAR Flags;
	PVOID UserPointer;
} GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY;

typedef struct _GDI_SHARED_MEMORY {
	GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT];
} GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY;

#define FLS_MAXIMUM_AVAILABLE 128
#define TLS_MINIMUM_AVAILABLE 64
#define TLS_EXPANSION_SLOTS 1024

#define DOS_MAX_COMPONENT_LENGTH 255
#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5)

typedef struct _CURDIR
{
	UNICODE_STRING DosPath;
	HANDLE Handle;
} CURDIR, *PCURDIR;

#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002
#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003

typedef struct _RTL_DRIVE_LETTER_CURDIR
{
	USHORT Flags;
	USHORT Length;
	ULONG TimeStamp;
	STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;

typedef struct _RTL_USER_PROCESS_PARAMETERS
{
	ULONG MaximumLength;
	ULONG Length;

	ULONG Flags;
	ULONG DebugFlags;

	HANDLE ConsoleHandle;
	ULONG ConsoleFlags;
	HANDLE StandardInput;
	HANDLE StandardOutput;
	HANDLE StandardError;

	CURDIR CurrentDirectory;
	UNICODE_STRING DllPath;
	UNICODE_STRING ImagePathName;
	UNICODE_STRING CommandLine;
	PVOID Environment;

	ULONG StartingX;
	ULONG StartingY;
	ULONG CountX;
	ULONG CountY;
	ULONG CountCharsX;
	ULONG CountCharsY;
	ULONG FillAttribute;

	ULONG WindowFlags;
	ULONG ShowWindowFlags;
	UNICODE_STRING WindowTitle;
	UNICODE_STRING DesktopInfo;
	UNICODE_STRING ShellInfo;
	UNICODE_STRING RuntimeData;
	RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];

	ULONG EnvironmentSize;
	ULONG EnvironmentVersion;
    PVOID PackageDependencyData; //8+
    ULONG ProcessGroupId;
   // ULONG LoaderThreads;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

typedef struct _PEB
{
	BOOLEAN InheritedAddressSpace;
	BOOLEAN ReadImageFileExecOptions;
	BOOLEAN BeingDebugged;
	union
	{
		BOOLEAN BitField;
		struct
		{
			BOOLEAN ImageUsesLargePages : 1;
			BOOLEAN IsProtectedProcess : 1;
			BOOLEAN IsLegacyProcess : 1;
			BOOLEAN IsImageDynamicallyRelocated : 1;
			BOOLEAN SkipPatchingUser32Forwarders : 1;
			BOOLEAN SpareBits : 3;
		};
	};
	HANDLE Mutant;

	PVOID ImageBaseAddress;
	PPEB_LDR_DATA Ldr;
	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
	PVOID SubSystemData;
	PVOID ProcessHeap;
	PRTL_CRITICAL_SECTION FastPebLock;
	PVOID AtlThunkSListPtr;
	PVOID IFEOKey;
	union
	{
		ULONG CrossProcessFlags;
		struct
		{
			ULONG ProcessInJob : 1;
			ULONG ProcessInitializing : 1;
			ULONG ProcessUsingVEH : 1;
			ULONG ProcessUsingVCH : 1;
			ULONG ProcessUsingFTH : 1;
			ULONG ReservedBits0 : 27;
		};
		ULONG EnvironmentUpdateCount;
	};
	union
	{
		PVOID KernelCallbackTable;
		PVOID UserSharedInfoPtr;
	};
	ULONG SystemReserved[1];
	ULONG AtlThunkSListPtr32;
	PVOID ApiSetMap;
	ULONG TlsExpansionCounter;
	PVOID TlsBitmap;
	ULONG TlsBitmapBits[2];
	PVOID ReadOnlySharedMemoryBase;
	PVOID HotpatchInformation;
	PVOID *ReadOnlyStaticServerData;
	PVOID AnsiCodePageData;
	PVOID OemCodePageData;
	PVOID UnicodeCaseTableData;

	ULONG NumberOfProcessors;
	ULONG NtGlobalFlag;

	LARGE_INTEGER CriticalSectionTimeout;
	SIZE_T HeapSegmentReserve;
	SIZE_T HeapSegmentCommit;
	SIZE_T HeapDeCommitTotalFreeThreshold;
	SIZE_T HeapDeCommitFreeBlockThreshold;

	ULONG NumberOfHeaps;
	ULONG MaximumNumberOfHeaps;
	PVOID *ProcessHeaps;

	PVOID GdiSharedHandleTable;
	PVOID ProcessStarterHelper;
	ULONG GdiDCAttributeList;

	PRTL_CRITICAL_SECTION LoaderLock;

	ULONG OSMajorVersion;
	ULONG OSMinorVersion;
	USHORT OSBuildNumber;
	USHORT OSCSDVersion;
	ULONG OSPlatformId;
	ULONG ImageSubsystem;
	ULONG ImageSubsystemMajorVersion;
	ULONG ImageSubsystemMinorVersion;
	ULONG_PTR ImageProcessAffinityMask;
	GDI_HANDLE_BUFFER GdiHandleBuffer;
	PVOID PostProcessInitRoutine;

	PVOID TlsExpansionBitmap;
	ULONG TlsExpansionBitmapBits[32];

	ULONG SessionId;

	ULARGE_INTEGER AppCompatFlags;
	ULARGE_INTEGER AppCompatFlagsUser;
	PVOID pShimData;
	PVOID AppCompatInfo;

	UNICODE_STRING CSDVersion;

	PVOID ActivationContextData;
	PVOID ProcessAssemblyStorageMap;
	PVOID SystemDefaultActivationContextData;
	PVOID SystemAssemblyStorageMap;

	SIZE_T MinimumStackCommit;

	PVOID *FlsCallback;
	LIST_ENTRY FlsListHead;
	PVOID FlsBitmap;
	ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
	ULONG FlsHighIndex;

	PVOID WerRegistrationData;
	PVOID WerShipAssertPtr;
	PVOID pContextData;
	PVOID pImageHeaderHash;
	union
	{
		ULONG TracingFlags;
		struct
		{
			ULONG HeapTracingEnabled : 1;
			ULONG CritSecTracingEnabled : 1;
			ULONG SpareTracingBits : 30;
		};
	};
} PEB, *PPEB;

typedef struct _TEB_ACTIVE_FRAME_CONTEXT
{
	ULONG Flags;
	PSTR FrameName;
} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;

typedef struct _TEB_ACTIVE_FRAME
{
	ULONG Flags;
	struct _TEB_ACTIVE_FRAME *Previous;
	PTEB_ACTIVE_FRAME_CONTEXT Context;
} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;

#define GDI_BATCH_BUFFER_SIZE 310

typedef struct _GDI_TEB_BATCH {
	ULONG	Offset;
	UCHAR	Alignment[4];
	ULONG_PTR HDC;
	ULONG	Buffer[GDI_BATCH_BUFFER_SIZE];
} GDI_TEB_BATCH, *PGDI_TEB_BATCH;

typedef struct _TEB
{
	NT_TIB NtTib;

	PVOID EnvironmentPointer;
	CLIENT_ID ClientId;
	PVOID ActiveRpcHandle;
	PVOID ThreadLocalStoragePointer;
	PPEB ProcessEnvironmentBlock;

	ULONG LastErrorValue;
	ULONG CountOfOwnedCriticalSections;
	PVOID CsrClientThread;
	PVOID Win32ThreadInfo;
	ULONG User32Reserved[26];
	ULONG UserReserved[5];
	PVOID WOW32Reserved;
	LCID CurrentLocale;
	ULONG FpSoftwareStatusRegister;
	PVOID SystemReserved1[54];
	NTSTATUS ExceptionCode;
	PVOID ActivationContextStackPointer;
#if defined(_M_X64)
	UCHAR SpareBytes[24];
#else
	UCHAR SpareBytes[36];
#endif
	ULONG TxFsContext;

	GDI_TEB_BATCH GdiTebBatch;
	CLIENT_ID RealClientId;
	HANDLE GdiCachedProcessHandle;
	ULONG GdiClientPID;
	ULONG GdiClientTID;
	PVOID GdiThreadLocalInfo;
	ULONG_PTR Win32ClientInfo[62];
	PVOID glDispatchTable[233];
	ULONG_PTR glReserved1[29];
	PVOID glReserved2;
	PVOID glSectionInfo;
	PVOID glSection;
	PVOID glTable;
	PVOID glCurrentRC;
	PVOID glContext;

	NTSTATUS LastStatusValue;
	UNICODE_STRING StaticUnicodeString;
	WCHAR StaticUnicodeBuffer[261];

	PVOID DeallocationStack;
	PVOID TlsSlots[64];
	LIST_ENTRY TlsLinks;

	PVOID Vdm;
	PVOID ReservedForNtRpc;
	PVOID DbgSsReserved[2];

	ULONG HardErrorMode;
#if defined(_M_X64)
	PVOID Instrumentation[11];
#else
	PVOID Instrumentation[9];
#endif
	GUID ActivityId;

	PVOID SubProcessTag;
	PVOID EtwLocalData;
	PVOID EtwTraceData;
	PVOID WinSockData;
	ULONG GdiBatchCount;

	union
	{
		PROCESSOR_NUMBER CurrentIdealProcessor;
		ULONG IdealProcessorValue;
		struct
		{
			UCHAR ReservedPad0;
			UCHAR ReservedPad1;
			UCHAR ReservedPad2;
			UCHAR IdealProcessor;
		};
	};

	ULONG GuaranteedStackBytes;
	PVOID ReservedForPerf;
	PVOID ReservedForOle;
	ULONG WaitingOnLoaderLock;
	PVOID SavedPriorityState;
	ULONG_PTR SoftPatchPtr1;
	PVOID ThreadPoolData;
	PVOID *TlsExpansionSlots;
#if defined(_M_X64)
	PVOID DeallocationBStore;
	PVOID BStoreLimit;
#endif
	ULONG MuiGeneration;
	ULONG IsImpersonating;
	PVOID NlsCache;
	PVOID pShimData;
	ULONG HeapVirtualAffinity;
	HANDLE CurrentTransactionHandle;
	PTEB_ACTIVE_FRAME ActiveFrame;
	PVOID FlsData;

	PVOID PreferredLanguages;
	PVOID UserPrefLanguages;
	PVOID MergedPrefLanguages;
	ULONG MuiImpersonation;

	union
	{
		USHORT CrossTebFlags;
		USHORT SpareCrossTebBits : 16;
	};
	union
	{
		USHORT SameTebFlags;
		struct
		{
			USHORT SafeThunkCall : 1;
			USHORT InDebugPrint : 1;
			USHORT HasFiberData : 1;
			USHORT SkipThreadAttach : 1;
			USHORT WerInShipAssertCode : 1;
			USHORT RanProcessInit : 1;
			USHORT ClonedThread : 1;
			USHORT SuppressDebugMsg : 1;
			USHORT DisableUserStackWalk : 1;
			USHORT RtlExceptionAttached : 1;
			USHORT InitialThread : 1;
			USHORT SpareSameTebBits : 1;
		};
	};

	PVOID TxnScopeEnterCallback;
	PVOID TxnScopeExitCallback;
	PVOID TxnScopeContext;
	ULONG LockCount;
	ULONG SpareUlong0;
	PVOID ResourceRetValue;
} TEB, *PTEB;

typedef struct _PROCESS_DEVICEMAP_INFORMATION {
    union {
        struct {
            HANDLE DirectoryHandle;
        } Set;
        struct {
            ULONG DriveMap;
            UCHAR DriveType[32];
        } Query;
    };
} PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;

__inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; }

/*
** PEB/TEB END
*/

/*
** ALPC START
*/

typedef struct _PORT_MESSAGE {
	union {
		struct {
			CSHORT DataLength;
			CSHORT TotalLength;
		} s1;
		ULONG Length;
	} u1;
	union {
		struct {
			CSHORT Type;
			CSHORT DataInfoOffset;
		} s2;
		ULONG ZeroInit;
	} u2;
	union {
		CLIENT_ID ClientId;
		double DoNotUseThisField;       // Force quadword alignment
	} u3;
	ULONG MessageId;
	union {
		ULONG ClientViewSize;               // Only valid on LPC_CONNECTION_REQUEST message
		ULONG CallbackId;                   // Only valid on LPC_REQUEST message
	} u4;
	UCHAR Reserved[8];
} PORT_MESSAGE, *PPORT_MESSAGE;

// end_ntsrv

typedef struct _PORT_DATA_ENTRY {
	PVOID Base;
	ULONG Size;
} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;

typedef struct _PORT_DATA_INFORMATION {
	ULONG CountDataEntries;
	PORT_DATA_ENTRY DataEntries[1];
} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;

#define LPC_REQUEST             1
#define LPC_REPLY               2
#define LPC_DATAGRAM            3
#define LPC_LOST_REPLY          4
#define LPC_PORT_CLOSED         5
#define LPC_CLIENT_DIED         6
#define LPC_EXCEPTION           7
#define LPC_DEBUG_EVENT         8
#define LPC_ERROR_EVENT         9
#define LPC_CONNECTION_REQUEST 10

#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)
#define PORT_MAXIMUM_MESSAGE_LENGTH 256

typedef struct _LPC_CLIENT_DIED_MSG {
	PORT_MESSAGE PortMsg;
	LARGE_INTEGER CreateTime;
} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;

//#pragma pack(push, 1)
typedef struct _PORT_VIEW {
	ULONG Length;
	HANDLE SectionHandle;
	ULONG SectionOffset;
	SIZE_T ViewSize;
	PVOID ViewBase;
	PVOID ViewRemoteBase;
} PORT_VIEW, *PPORT_VIEW;

typedef struct _REMOTE_PORT_VIEW {
	ULONG Length;
	SIZE_T ViewSize;
	PVOID ViewBase;
} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
//#pragma pack(pop)
/*
** ALPC END
*/

/*
** KUSER_SHARED_DATA START
*/

typedef struct _KSYSTEM_TIME {
	ULONG LowPart;
	LONG High1Time;
	LONG High2Time;
} KSYSTEM_TIME, *PKSYSTEM_TIME;

typedef enum _NT_PRODUCT_TYPE {
	NtProductWinNt = 1,
	NtProductLanManNt,
	NtProductServer
} NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;

#define PROCESSOR_FEATURE_MAX 64

typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE {
	StandardDesign,                 // None == 0 == standard design
	NEC98x86,                       // NEC PC98xx series on X86
	EndAlternatives                 // past end of known alternatives
} ALTERNATIVE_ARCHITECTURE_TYPE;

//
// Define Address of User Shared Data
//
#define MM_SHARED_USER_DATA_VA      0x000000007FFE0000

//
// WARNING: this definition is compatibility only.
// Structure is incomplete. Only important fields.
//
typedef struct _KUSER_SHARED_DATA_COMPAT {
	ULONG TickCountLowDeprecated;
	ULONG TickCountMultiplier;
	volatile KSYSTEM_TIME InterruptTime;
	volatile KSYSTEM_TIME SystemTime;
	volatile KSYSTEM_TIME TimeZoneBias;
	USHORT ImageNumberLow;
	USHORT ImageNumberHigh;
	WCHAR NtSystemRoot[260];
	ULONG MaxStackTraceDepth;
	ULONG CryptoExponent;
	ULONG TimeZoneId;
	ULONG LargePageMinimum;

	union {
		ULONG Reserved2[7];
		struct {
			ULONG AitSamplingValue;
			ULONG AppCompatFlag;
			struct {
				ULONG LowPart;
				ULONG HighPart;
			} RNGSeedVersion;
			ULONG GlobalValidationRunlevel;
			ULONG TimeZoneBiasStamp;
			ULONG ReservedField;
		};
	};
	
	NT_PRODUCT_TYPE NtProductType;
	BOOLEAN ProductTypeIsValid;
	ULONG NtMajorVersion;
	ULONG NtMinorVersion;
	BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];
	ULONG Reserved1;
	ULONG Reserved3;
	volatile ULONG TimeSlip;
	ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
	ULONG AltArchitecturePad;
	LARGE_INTEGER SystemExpirationDate;
	ULONG SuiteMask;
	BOOLEAN KdDebuggerEnabled;

	union {
		UCHAR MitigationPolicies;
		struct {
			UCHAR NXSupportPolicy : 2;
			UCHAR SEHValidationPolicy : 2;
			UCHAR CurDirDevicesSkippedForDlls : 2;
			UCHAR Reserved : 2;
			UCHAR Reserved6[2];
		};
	};

	volatile ULONG ActiveConsoleId;
	volatile ULONG DismountCount;
	ULONG ComPlusPackage;
	ULONG LastSystemRITEventTickCount;
	ULONG NumberOfPhysicalPages;
	BOOLEAN SafeBootMode;
	UCHAR Reserved12[3];

	union {
		ULONG SharedDataFlags;
		struct {
			ULONG DbgErrorPortPresent : 1;
			ULONG DbgElevationEnabled : 1;
			ULONG DbgVirtEnabled : 1;
			ULONG DbgInstallerDetectEnabled: 1;
			ULONG DbgLkgEnabled : 1;
			ULONG DbgDynProcessorEnabled : 1;
			ULONG DbgConsoleBrokerEnabled : 1;
			ULONG DbgSecureBootEnabled : 1;
            ULONG DbgMultiSessionSku : 1;
            ULONG DbgMultiUsersInSessionSku : 1;
            ULONG SpareBits : 22;
		};
	};

	//incomplete

} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;

#define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)MM_SHARED_USER_DATA_VA)

/*
** KUSER_SHARED_DATA END
*/

/*
** FLT MANAGER START
*/

#define FLTFL_MANDATORY_UNLOAD_IN_PROGRESS  0x1
#define FLTFL_FILTERING_INITIATED           0x2
#define FLTFL_NAME_PROVIDER                 0x4
#define FLTFL_SUPPORTS_PIPES_MAILSLOTS      0x8

#define FLT_OBFL_DRAINING                   0x1
#define FLT_OBFL_ZOMBIED                    0x2
#define FLT_OBFL_TYPE_INSTANCE              0x1000000
#define FLT_OBFL_TYPE_FILTER                0x2000000
#define FLT_OBFL_TYPE_VOLUME                0x4000000

typedef struct _FLT_OBJECT {
    ULONG Flags;
    ULONG PointerCount;
    EX_RUNDOWN_REF RundownRef;
    LIST_ENTRY PrimaryLink;
} FLT_OBJECT, *PFLT_OBJECT;

typedef struct _FLT_SERVER_PORT_OBJECT {
    LIST_ENTRY FilterLink;
    PVOID ConnectNotify;
    PVOID DisconnectNotify;
    PVOID MessageNotify;
    PVOID Filter;
    PVOID Cookie;
    ULONG Flags;
    ULONG NumberOfConnections;
    ULONG MaxConnections;
} FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT;

/*
** FLT MANAGER END
*/

/*
**  RTL START
*/

typedef NTSTATUS(*PUSER_PROCESS_START_ROUTINE)(
	PRTL_USER_PROCESS_PARAMETERS ProcessParameters
	);

typedef NTSTATUS(*PUSER_THREAD_START_ROUTINE)(
	PVOID ThreadParameter
	);

typedef struct _RTL_USER_PROCESS_INFORMATION {
	ULONG Length;
	HANDLE Process;
	HANDLE Thread;
	CLIENT_ID ClientId;
	SECTION_IMAGE_INFORMATION ImageInformation;
} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;

//
// This structure is used only by Wow64 processes. The offsets
// of structure elements should the same as viewed by a native Win64 application.
//
typedef struct _RTL_USER_PROCESS_INFORMATION64 {
	ULONG Length;
	LONGLONG Process;
	LONGLONG Thread;
	CLIENT_ID64 ClientId;
	SECTION_IMAGE_INFORMATION64 ImageInformation;
} RTL_USER_PROCESS_INFORMATION64, *PRTL_USER_PROCESS_INFORMATION64;

/*
**  RTL END
*/

/*
**  LDR START
*/

typedef
VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)(
	_In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,
	_In_ PVOID Context,
	_Inout_ BOOLEAN *StopEnumeration
	);

typedef
VOID (CALLBACK *PLDR_DLL_NOTIFICATION_FUNCTION)(
    _In_     ULONG                       NotificationReason,
    _In_     PCLDR_DLL_NOTIFICATION_DATA NotificationData,
    _In_opt_ PVOID                       Context
    );

NTSTATUS NTAPI LdrAccessResource(
	_In_ PVOID DllHandle,
	_In_ CONST IMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry,
	_Out_opt_ PVOID *Address,
	_Out_opt_ PULONG Size
	);

NTSTATUS NTAPI LdrAddRefDll(
	ULONG Flags,
	PVOID DllHandle
	);

NTSTATUS NTAPI LdrEnumerateLoadedModules(
	_In_opt_ ULONG Flags,
	_In_     PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION CallbackFunction,
	_In_opt_ PVOID Context
	);

NTSTATUS NTAPI LdrFindResource_U(
	_In_ PVOID DllHandle,
	_In_ CONST ULONG_PTR* ResourceIdPath,
	_In_ ULONG ResourceIdPathLength,
	_Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry
	);

NTSTATUS NTAPI LdrFindEntryForAddress(
	_In_ PVOID Address,
	_Out_ PLDR_DATA_TABLE_ENTRY *TableEntry
	);

NTSTATUS NTAPI LdrGetDllHandle(
	_In_opt_ PCWSTR DllPath,
	_In_opt_ PULONG DllCharacteristics,
	_In_ PCUNICODE_STRING DllName,
	_Out_ PVOID *DllHandle
	);

NTSTATUS NTAPI LdrGetProcedureAddress(
	_In_     PVOID DllHandle,
	_In_opt_ CONST ANSI_STRING* ProcedureName,
	_In_opt_ ULONG ProcedureNumber,
	_Out_    PVOID *ProcedureAddress
	);

NTSTATUS NTAPI LdrLoadDll(
	_In_opt_ PCWSTR DllPath,
	_In_opt_ PULONG DllCharacteristics,
	_In_     PCUNICODE_STRING DllName,
	_Out_    PVOID *DllHandle
	);

NTSTATUS NTAPI LdrQueryProcessModuleInformation(
	_Out_     PRTL_PROCESS_MODULES ModuleInformation,
	_In_      ULONG ModuleInformationLength,
	_Out_opt_ PULONG ReturnLength 
	);

NTSTATUS NTAPI LdrUnloadDll(
	_In_ PVOID DllHandle
	);

NTSTATUS NTAPI LdrRegisterDllNotification(
    _In_     ULONG                          Flags,
    _In_     PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction,
    _In_opt_ PVOID                          Context,
    _Out_    PVOID                          *Cookie
    );

NTSTATUS NTAPI LdrUnregisterDllNotification(
    _In_ PVOID Cookie
    );

NTSTATUS NTAPI LdrResSearchResource(
    _In_        PVOID File,
    _In_        CONST ULONG_PTR* ResIds,
    _In_        ULONG ResIdCount,
    _In_        ULONG Flags,
    _Out_       LPVOID *Resource,
    _Out_       ULONG_PTR *Size,
    _In_opt_    USHORT *FoundLanguage,
    _In_opt_    ULONG *FoundLanguageLength
    );

NTSTATUS NTAPI LdrOpenImageFileOptionsKey(
    _In_ PCUNICODE_STRING ImagePathName,
    _In_ BOOLEAN Wow64Path,
    _Out_ PHANDLE KeyHandle
);

NTSTATUS NTAPI LdrQueryImageFileExecutionOptions(
    _In_ PCUNICODE_STRING ImagePathName,
    _In_ PCWSTR OptionName,
    _In_ ULONG Type,
    _Out_ PVOID Buffer,
    _In_ ULONG BufferSize,
    _Out_opt_ PULONG ResultSize
    );

NTSTATUS NTAPI LdrQueryImageFileExecutionOptionsEx(
    _In_ PCUNICODE_STRING ImagePathName,
    _In_ PCWSTR OptionName,
    _In_ ULONG Type,
    _Out_ PVOID Buffer,
    _In_ ULONG BufferSize,
    _Out_opt_ PULONG ResultSize,
    _In_ BOOLEAN Wow64Path
    );

NTSTATUS NTAPI LdrQueryImageFileKeyOption(
    _In_ HANDLE KeyHandle,
    _In_ PCWSTR OptionName,
    _In_ ULONG Type,
    _Out_ PVOID Buffer,
    _In_ ULONG BufferSize,
    _Out_opt_ PULONG ResultSize
    );

/*
**  LDR END
*/

typedef PVOID PHEAD;

typedef struct _HANDLEENTRY {
    PHEAD   phead;  // Pointer to the Object.
    PVOID   pOwner; // PTI or PPI
    BYTE    bType;  // Object handle type
    BYTE    bFlags; // Flags
    WORD    wUniq;  // Access count.
} HANDLEENTRY, *PHANDLEENTRY;

typedef struct _SERVERINFO {
    WORD            wRIPFlags;
    WORD            wSRVIFlags;
    WORD            wRIPPID;
    WORD            wRIPError;
    ULONG           cHandleEntries;
    // incomplete
} SERVERINFO, *PSERVERINFO;

typedef struct _SHAREDINFO {
    PSERVERINFO		psi;
    PHANDLEENTRY	aheList;
    ULONG			HeEntrySize;
    // incomplete
} SHAREDINFO, *PSHAREDINFO;

typedef struct _USERCONNECT
{
    ULONG ulVersion;
    ULONG ulCurrentVersion;
    DWORD dwDispatchCount;
    SHAREDINFO siClient;
} USERCONNECT, *PUSERCONNECT;

/*
** Csr Runtime START
*/

ULONG NTAPI CsrGetProcessId(
	);

NTSTATUS NTAPI CsrClientConnectToServer(
    _In_ PWSTR ObjectDirectory,  
    _In_ ULONG ServerDllIndex,
    _Inout_ PVOID ConnectionInformation,
    _Inout_ ULONG *ConnectionInformationLength, 
    _Out_ PBOOLEAN CalledFromServer
);

/*
** Csr Runtime END
*/

/*
** Runtime Library API START
*/

NTSTATUS NTAPI RtlCreateEnvironment(
    _In_ BOOLEAN CloneCurrentEnvironment,
    _Out_ PVOID *Environment
    );

NTSTATUS NTAPI RtlDestroyEnvironment(
    _In_ PVOID Environment
    );

NTSTATUS NTAPI RtlCreateProcessParameters(
    _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
    _In_ PUNICODE_STRING ImagePathName,
    _In_opt_ PUNICODE_STRING DllPath,
    _In_opt_ PUNICODE_STRING CurrentDirectory,
    _In_opt_ PUNICODE_STRING CommandLine,
    _In_opt_ PVOID Environment,
    _In_opt_ PUNICODE_STRING WindowTitle,
    _In_opt_ PUNICODE_STRING DesktopInfo,
    _In_opt_ PUNICODE_STRING ShellInfo,
    _In_opt_ PUNICODE_STRING RuntimeData
    );

NTSTATUS NTAPI RtlDestroyProcessParameters(
    _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters
    );

NTSTATUS NTAPI RtlCreateProcessParametersEx(
    _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
    _In_ PUNICODE_STRING ImagePathName,
    _In_opt_ PUNICODE_STRING DllPath,
    _In_opt_ PUNICODE_STRING CurrentDirectory,
    _In_opt_ PUNICODE_STRING CommandLine,
    _In_opt_ PVOID Environment,
    _In_opt_ PUNICODE_STRING WindowTitle,
    _In_opt_ PUNICODE_STRING DesktopInfo,
    _In_opt_ PUNICODE_STRING ShellInfo,
    _In_opt_ PUNICODE_STRING RuntimeData,
    _In_ ULONG Flags);

NTSTATUS NTAPI RtlCreateUserProcess(
	PUNICODE_STRING NtImagePathName,
	ULONG Attributes,
	PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
	PSECURITY_DESCRIPTOR ProcessSecurityDescriptor,
	PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
	HANDLE ParentProcess,
	BOOLEAN InheritHandles,
	HANDLE DebugPort,
	HANDLE ExceptionPort,
	PRTL_USER_PROCESS_INFORMATION ProcessInformation
	);

NTSTATUS NTAPI RtlCreateUserThread(
    _In_ HANDLE Process,
    _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
    _In_ BOOLEAN CreateSuspended,
    _In_ ULONG StackZeroBits,
    _In_opt_ SIZE_T MaximumStackSize,
    _In_opt_ SIZE_T InitialStackSize,
    _In_ PUSER_THREAD_START_ROUTINE StartAddress,
    _In_opt_ PVOID Parameter,
    _Out_opt_ PHANDLE Thread,
    _Out_opt_ PCLIENT_ID ClientId
    );

VOID NTAPI RtlExitUserThread(
	IN NTSTATUS ExitStatus
	);

VOID NTAPI RtlFreeUserThreadStack(
	HANDLE hProcess,
	HANDLE hThread
	);

ULONG NTAPI RtlRandomEx(
	_Inout_ PULONG Seed
	);

PVOID NTAPI RtlAddVectoredExceptionHandler(
	_In_ ULONG First,
	_In_ PVECTORED_EXCEPTION_HANDLER Handler
	);

ULONG NTAPI RtlRemoveVectoredExceptionHandler(
	_In_ PVOID Handle
	);

VOID NTAPI RtlRaiseException(
    _In_ PEXCEPTION_RECORD
    );

VOID NTAPI RtlPushFrame(
	_In_ PTEB_ACTIVE_FRAME Frame
	);

VOID NTAPI RtlPopFrame(
	_In_ PTEB_ACTIVE_FRAME Frame
	);

PTEB_ACTIVE_FRAME NTAPI RtlGetFrame(
	VOID
	);

BOOLEAN NTAPI RtlCreateUnicodeString(
    _Out_ PUNICODE_STRING DestinationString,
    _In_  PCWSTR          SourceString
    );

VOID NTAPI RtlInitUnicodeString(
	_Inout_	PUNICODE_STRING DestinationString,
    _In_opt_ PCWSTR SourceString
	);

BOOLEAN NTAPI RtlEqualUnicodeString(
	_In_ PCUNICODE_STRING String1,
	_In_ PCUNICODE_STRING String2,
	_In_ BOOLEAN CaseInSensitive
	);

BOOLEAN NTAPI RtlPrefixUnicodeString(
	_In_ PCUNICODE_STRING String1,
	_In_ PCUNICODE_STRING String2,
	_In_ BOOLEAN CaseInSensitive
	);

NTSTATUS NTAPI RtlGetVersion(
	_Inout_	PRTL_OSVERSIONINFOW lpVersionInformation
	);

ULONG NTAPI RtlNtStatusToDosError(
	_In_ NTSTATUS Status
	);

NTSTATUS NTAPI RtlGetOwnerSecurityDescriptor(
	_In_  PSECURITY_DESCRIPTOR SecurityDescriptor,
	_Out_ PSID *Owner,
	_Out_ PBOOLEAN OwnerDefaulted
	);

NTSTATUS NTAPI RtlGetGroupSecurityDescriptor(
	_In_  PSECURITY_DESCRIPTOR SecurityDescriptor,
	_Out_ PSID *Group,
	_Out_ PBOOLEAN GroupDefaulted
	);

NTSTATUS NTAPI RtlGetDaclSecurityDescriptor(
	_In_  PSECURITY_DESCRIPTOR SecurityDescriptor,
	_Out_ PBOOLEAN DaclPresent,
	_Out_ PACL *Dacl,
	_Out_ PBOOLEAN DaclDefaulted
	);

NTSTATUS NTAPI RtlGetSaclSecurityDescriptor(
	_In_  PSECURITY_DESCRIPTOR SecurityDescriptor,
	_Out_ PBOOLEAN SaclPresent,
	_Out_ PACL *Sacl,
	_Out_ PBOOLEAN SaclDefaulted
	);

ULONG NTAPI RtlLengthSecurityDescriptor(
	_In_ PSECURITY_DESCRIPTOR SecurityDescriptor
	);

VOID NTAPI RtlMapGenericMask(
	_In_ PACCESS_MASK AccessMask,
	_In_ PGENERIC_MAPPING GenericMapping
	);

VOID NTAPI RtlInitString(
	PSTRING DestinationString,
	PCSZ SourceString
	);

NTSTATUS NTAPI RtlExpandEnvironmentStrings(
    _In_opt_ PVOID Environment,
    _In_reads_(SrcLength) PWSTR Src,
    _In_ SIZE_T SrcLength,
    _Out_writes_opt_(DstLength) PWSTR Dst,
    _In_ SIZE_T DstLength,
    _Out_opt_ PSIZE_T ReturnLength
    );

NTSTATUS NTAPI RtlExpandEnvironmentStrings_U(
	_In_opt_	PVOID Environment,
	_In_		PCUNICODE_STRING Source,
	_Out_		PUNICODE_STRING Destination,
	_Out_opt_	PULONG ReturnedLength
	);

VOID NTAPI RtlSetLastWin32Error(
	LONG Win32Error
	);

NTSTATUS NTAPI RtlWow64EnableFsRedirection(
    _In_ BOOLEAN Wow64FsEnableRedirection
    );

NTSTATUS NTAPI RtlWow64EnableFsRedirectionEx(
    _In_ PVOID DisableFsRedirection,
    _Out_ PVOID *OldFsRedirectionLevel
    );

PVOID NTAPI RtlEncodePointer(
    PVOID Ptr
    );

PVOID NTAPI RtlDecodePointer(
    PVOID Ptr
    );

typedef NTSTATUS
(NTAPI * PRTL_HEAP_COMMIT_ROUTINE)(
	IN PVOID Base,
	IN OUT PVOID *CommitAddress,
	IN OUT PSIZE_T CommitSize
	);

typedef struct _RTL_HEAP_PARAMETERS {
	ULONG Length;
	SIZE_T SegmentReserve;
	SIZE_T SegmentCommit;
	SIZE_T DeCommitFreeBlockThreshold;
	SIZE_T DeCommitTotalFreeThreshold;
	SIZE_T MaximumAllocationSize;
	SIZE_T VirtualMemoryThreshold;
	SIZE_T InitialCommit;
	SIZE_T InitialReserve;
	PRTL_HEAP_COMMIT_ROUTINE CommitRoutine;
	SIZE_T Reserved[2];
} RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS;

PVOID NTAPI RtlCreateHeap(
	_In_ ULONG Flags,
	_In_opt_ PVOID HeapBase,
	_In_opt_ SIZE_T ReserveSize,
	_In_opt_ SIZE_T CommitSize,
	_In_opt_ PVOID Lock,
	_In_opt_ PRTL_HEAP_PARAMETERS Parameters 
	);

PVOID NTAPI RtlDestroyHeap(
	_In_ PVOID HeapHandle
	);

PVOID NTAPI RtlAllocateHeap(
	_In_ PVOID HeapHandle,
	_In_ ULONG Flags,
	_In_ SIZE_T Size
	);

BOOLEAN NTAPI RtlFreeHeap(
	_In_ PVOID HeapHandle,
	_In_ ULONG Flags,
	_In_ PVOID BaseAddress
	);

BOOLEAN NTAPI RtlValidSid(
	PSID Sid
	);

BOOLEAN NTAPI RtlEqualSid(
	PSID Sid1,
	PSID Sid2
	);

BOOLEAN NTAPI RtlEqualPrefixSid(
	PSID Sid1,
	PSID Sid2
	);

ULONG NTAPI RtlLengthRequiredSid(
	ULONG SubAuthorityCount
	);

PVOID NTAPI RtlFreeSid(
	IN PSID Sid
	);

NTSTATUS NTAPI RtlAllocateAndInitializeSid(
	IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
	IN UCHAR SubAuthorityCount,
	IN ULONG SubAuthority0,
	IN ULONG SubAuthority1,
	IN ULONG SubAuthority2,
	IN ULONG SubAuthority3,
	IN ULONG SubAuthority4,
	IN ULONG SubAuthority5,
	IN ULONG SubAuthority6,
	IN ULONG SubAuthority7,
	OUT PSID *Sid
	);
                                          
NTSTATUS NTAPI RtlInitializeSid(                                  
	PSID Sid,                                      
	PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,  
	UCHAR SubAuthorityCount                         
	);                                              

PSID_IDENTIFIER_AUTHORITY NTAPI RtlIdentifierAuthoritySid(
	PSID Sid
	);

PULONG NTAPI RtlSubAuthoritySid(                               
	PSID Sid,                                       
	ULONG SubAuthority                              
	);                                              

PUCHAR NTAPI RtlSubAuthorityCountSid(
	PSID Sid
	);

ULONG NTAPI RtlLengthSid(
	PSID Sid
	);

NTSTATUS NTAPI RtlCopySid(
	ULONG DestinationSidLength,
	PSID DestinationSid,
	PSID SourceSid
	);

NTSTATUS NTAPI RtlCopySidAndAttributesArray(
	ULONG ArrayLength,
	PSID_AND_ATTRIBUTES Source,
	ULONG TargetSidBufferSize,
	PSID_AND_ATTRIBUTES TargetArrayElement,
	PSID TargetSid,
	PSID *NextTargetSid,
	PULONG RemainingTargetSidSize
	);

NTSTATUS NTAPI RtlLengthSidAsUnicodeString(
	PSID Sid,
	PULONG StringLength
	);

NTSTATUS NTAPI RtlConvertSidToUnicodeString(
	PUNICODE_STRING UnicodeString,
	PSID Sid,
	BOOLEAN AllocateDestinationString
	);

NTSTATUS NTAPI RtlCreateSecurityDescriptor(
	PSECURITY_DESCRIPTOR SecurityDescriptor,
	ULONG Revision
	);

NTSTATUS NTAPI RtlSetOwnerSecurityDescriptor( 
	PSECURITY_DESCRIPTOR SecurityDescriptor,   
	PSID Owner,                                
	BOOLEAN OwnerDefaulted                     
	);

FORCEINLINE LUID
NTAPI
RtlConvertLongToLuid(
	LONG Long
	)
{
	LUID TempLuid;
	LARGE_INTEGER TempLi;

	TempLi.QuadPart = Long;
	TempLuid.LowPart = TempLi.LowPart;
	TempLuid.HighPart = TempLi.HighPart;
	return(TempLuid);
}

NTSTATUS NTAPI RtlFormatCurrentUserKeyPath(
	_Out_ PUNICODE_STRING CurrentUserKeyPath
	);

VOID NTAPI RtlFreeUnicodeString(
	PUNICODE_STRING UnicodeString
	);

VOID NTAPI RtlFreeAnsiString(
	PANSI_STRING AnsiString
	);

NTSTATUS NTAPI RtlAnsiStringToUnicodeString(
	PUNICODE_STRING DestinationString,
	PCANSI_STRING SourceString,
	BOOLEAN AllocateDestinationString
	);

BOOLEAN NTAPI RtlDosPathNameToNtPathName_U(
	_In_ PCWSTR DosFileName,
	_Out_ PUNICODE_STRING NtFileName,
	_Out_opt_ PWSTR *FilePart,
	PVOID Reserved
	);

NTSTATUS NTAPI RtlGetCompressionWorkSpaceSize(
	_In_ USHORT CompressionFormatAndEngine,
	_Out_ PULONG CompressBufferWorkSpaceSize,
	_Out_ PULONG CompressFragmentWorkSpaceSize
	);

NTSTATUS NTAPI RtlCompressBuffer(
	_In_ USHORT CompressionFormatAndEngine,
	_In_ PUCHAR UncompressedBuffer,
	_In_ ULONG UncompressedBufferSize,
	_Out_ PUCHAR CompressedBuffer,
	_In_ ULONG CompressedBufferSize,
	_In_ ULONG UncompressedChunkSize,
	_Out_ PULONG FinalCompressedSize,
	_In_ PVOID WorkSpace
	);

NTSTATUS NTAPI RtlDecompressBuffer(
	_In_ USHORT CompressionFormat,
	_Out_ PUCHAR UncompressedBuffer,
	_In_ ULONG UncompressedBufferSize,
	_In_ PUCHAR CompressedBuffer,
	_In_ ULONG CompressedBufferSize,
	_Out_ PULONG FinalUncompressedSize
	);

PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(
	_In_ PVOID Base
	);

NTSYSAPI PVOID NTAPI RtlAddressInSectionTable(
	_In_ PIMAGE_NT_HEADERS NtHeaders,
	_In_ PVOID BaseOfImage,
	_In_ ULONG VirtualAddress
	);

PVOID NTAPI RtlImageDirectoryEntryToData(
	PVOID BaseOfImage,
	BOOLEAN MappedAsImage,
	USHORT DirectoryEntry,
	PULONG Size
	);

VOID NTAPI RtlSecondsSince1970ToTime(
	ULONG ElapsedSeconds,
	PLARGE_INTEGER Time
	);

VOID NTAPI RtlSecondsSince1980ToTime(
	ULONG ElapsedSeconds,
	PLARGE_INTEGER Time
	);

BOOLEAN NTAPI RtlTimeToSecondsSince1980(
	PLARGE_INTEGER Time,
	PULONG ElapsedSeconds
	);

VOID NTAPI RtlTimeToTimeFields(
	_Inout_ PLARGE_INTEGER Time,
	_Inout_ PTIME_FIELDS TimeFields
	);

BOOLEAN NTAPI RtlTimeFieldsToTime(
	PTIME_FIELDS TimeFields,
	PLARGE_INTEGER Time
	);

ULONG32 NTAPI RtlComputeCrc32(
	_In_ ULONG32 PartialCrc,
	_In_ PVOID Buffer,
	_In_ ULONG Length
	);

VOID NTAPI RtlGetNtVersionNumbers(
	_Out_opt_  PULONG MajorVersion,
	_Out_opt_  PULONG MinorVersion,
	_Out_opt_  PULONG BuildNumber
	);

PPEB NTAPI RtlGetCurrentPeb(
	VOID
	);

PWSTR NTAPI RtlIpv4AddressToStringW(
	__in const struct in_addr *Addr,
	__out_ecount(16) PWSTR S
	);

NTSTATUS NTAPI RtlAdjustPrivilege(
	ULONG Privilege,
	BOOLEAN Enable,
	BOOLEAN Client,
	PBOOLEAN WasEnabled
	);

//
// preallocated heap-growable buffers
//
typedef struct _RTL_BUFFER {
    PUCHAR    Buffer;
    PUCHAR    StaticBuffer;
    SIZE_T    Size;
    SIZE_T    StaticSize;
    SIZE_T    ReservedForAllocatedSize; // for future doubling
    PVOID     ReservedForIMalloc; // for future pluggable growth
} RTL_BUFFER, *PRTL_BUFFER;

typedef struct _RTL_UNICODE_STRING_BUFFER {
    UNICODE_STRING String;
    RTL_BUFFER     ByteBuffer;
    UCHAR          MinimumStaticBufferForTerminalNul[sizeof(WCHAR)];
} RTL_UNICODE_STRING_BUFFER, *PRTL_UNICODE_STRING_BUFFER;

NTSTATUS NTAPI RtlNtPathNameToDosPathName(
    _In_ ULONG Flags,
    _Inout_ PRTL_UNICODE_STRING_BUFFER Path,
    _Out_opt_ PULONG Disposition,
    _Inout_opt_ PWSTR* FilePart
    );

ULONG NTAPI RtlIsDosDeviceName_U(
    PCWSTR DosFileName
    );

ULONG NTAPI RtlGetFullPathName_U(
    __in PCWSTR lpFileName,
    __in ULONG nBufferLength,
    __out_bcount(nBufferLength) PWSTR lpBuffer,
    __out_opt PWSTR *lpFilePart
    );

typedef enum _RTL_PATH_TYPE {
    RtlPathTypeUnknown,         // 0
    RtlPathTypeUncAbsolute,     // 1
    RtlPathTypeDriveAbsolute,   // 2
    RtlPathTypeDriveRelative,   // 3
    RtlPathTypeRooted,          // 4
    RtlPathTypeRelative,        // 5
    RtlPathTypeLocalDevice,     // 6
    RtlPathTypeRootLocalDevice  // 7
} RTL_PATH_TYPE;

RTL_PATH_TYPE NTAPI RtlDetermineDosPathNameType_U(
    PCWSTR DosFileName
    );

#define HASH_STRING_ALGORITHM_DEFAULT   (0)
#define HASH_STRING_ALGORITHM_X65599    (1)
#define HASH_STRING_ALGORITHM_INVALID   (0xffffffff)

NTSTATUS NTAPI RtlHashUnicodeString(
    _In_ const UNICODE_STRING *String,
    _In_ BOOLEAN CaseInSensitive,
    _In_ ULONG HashAlgorithm,
    _Out_ PULONG HashValue
);

ULONG DbgPrint(
	_In_ PCH Format,
	...
	);

/*
** Runtime Library API END
*/

/*
** Generic AVL API START
*/
typedef ULONG CLONG;

typedef enum _TABLE_SEARCH_RESULT {
	TableEmptyTree,
	TableFoundNode,
	TableInsertAsLeft,
	TableInsertAsRight
} TABLE_SEARCH_RESULT;

typedef enum _RTL_GENERIC_COMPARE_RESULTS {
	GenericLessThan,
	GenericGreaterThan,
	GenericEqual
} RTL_GENERIC_COMPARE_RESULTS;

typedef struct _RTL_AVL_TABLE RTL_AVL_TABLE;
typedef struct PRTL_AVL_TABLE *_RTL_AVL_TABLE;

typedef RTL_GENERIC_COMPARE_RESULTS(NTAPI *PRTL_AVL_COMPARE_ROUTINE)(
	_In_  _RTL_AVL_TABLE *Table,
	_In_ PVOID FirstStruct,
	_In_ PVOID SecondStruct
	);

typedef PVOID(NTAPI *PRTL_AVL_ALLOCATE_ROUTINE)(
	_In_ _RTL_AVL_TABLE *Table,
	_In_ ULONG ByteSize
	);

typedef VOID(NTAPI *PRTL_AVL_FREE_ROUTINE)(
	_In_  _RTL_AVL_TABLE *Table,
	_In_ _Post_invalid_ PVOID Buffer
	);

typedef NTSTATUS(NTAPI *PRTL_AVL_MATCH_FUNCTION)(
	_In_  _RTL_AVL_TABLE *Table,
	_In_ PVOID UserData,
	_In_ PVOID MatchData
	);

typedef struct _RTL_BALANCED_LINKS {
	struct _RTL_BALANCED_LINKS *Parent;
	struct _RTL_BALANCED_LINKS *LeftChild;
	struct _RTL_BALANCED_LINKS *RightChild;
	CHAR Balance;
	UCHAR Reserved[3];
} RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS;

typedef struct _RTL_AVL_TABLE {
	RTL_BALANCED_LINKS BalancedRoot;
	PVOID OrderedPointer;
	ULONG WhichOrderedElement;
	ULONG NumberGenericTableElements;
	ULONG DepthOfTree;
	PRTL_BALANCED_LINKS RestartKey;
	ULONG DeleteCount;
	PRTL_AVL_COMPARE_ROUTINE CompareRoutine;
	PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine;
	PRTL_AVL_FREE_ROUTINE FreeRoutine;
	PVOID TableContext;
} RTL_AVL_TABLE, *PRTL_AVL_TABLE;

VOID NTAPI RtlInitializeGenericTableAvl(
	_Out_ PRTL_AVL_TABLE Table,
	_In_ PRTL_AVL_COMPARE_ROUTINE CompareRoutine,
	_In_ PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine,
	_In_ PRTL_AVL_FREE_ROUTINE FreeRoutine,
	_In_opt_ PVOID TableContext
	);

PVOID NTAPI RtlInsertElementGenericTableAvl(
	_In_ PRTL_AVL_TABLE Table,
	_In_reads_bytes_(BufferSize) PVOID Buffer,
	_In_ CLONG BufferSize,
	_Out_opt_ PBOOLEAN NewElement
	);

PVOID NTAPI RtlInsertElementGenericTableFullAvl(
	_In_ PRTL_AVL_TABLE Table,
	_In_reads_bytes_(BufferSize) PVOID Buffer,
	_In_ CLONG BufferSize,
	_Out_opt_ PBOOLEAN NewElement,
	_In_ PVOID NodeOrParent,
	_In_ TABLE_SEARCH_RESULT SearchResult
	);

BOOLEAN NTAPI RtlDeleteElementGenericTableAvl(
	_In_ PRTL_AVL_TABLE Table,
	_In_ PVOID Buffer
	);

PVOID NTAPI RtlLookupElementGenericTableAvl(
	_In_ PRTL_AVL_TABLE Table,
	_In_ PVOID Buffer
	);

PVOID NTAPI RtlLookupElementGenericTableFullAvl(
	_In_ PRTL_AVL_TABLE Table,
	_In_ PVOID Buffer,
	_Out_ PVOID *NodeOrParent,
	_Out_ TABLE_SEARCH_RESULT *SearchResult
	);

PVOID NTAPI RtlEnumerateGenericTableAvl(
	_In_ PRTL_AVL_TABLE Table,
	_In_ BOOLEAN Restart
	);

PVOID NTAPI RtlEnumerateGenericTableWithoutSplayingAvl(
	_In_ PRTL_AVL_TABLE Table,
	_Inout_ PVOID *RestartKey
	);

PVOID NTAPI RtlLookupFirstMatchingElementGenericTableAvl(
	_In_ PRTL_AVL_TABLE Table,
	_In_ PVOID Buffer,
	_Out_ PVOID *RestartKey
	);

PVOID NTAPI RtlEnumerateGenericTableLikeADirectory(
	_In_ PRTL_AVL_TABLE Table,
	_In_opt_ PRTL_AVL_MATCH_FUNCTION MatchFunction,
	_In_opt_ PVOID MatchData,
	_In_ ULONG NextFlag,
	_Inout_ PVOID *RestartKey,
	_Inout_ PULONG DeleteCount,
	_In_ PVOID Buffer
	);

PVOID NTAPI RtlGetElementGenericTableAvl(
	_In_ PRTL_AVL_TABLE Table,
	_In_ ULONG I
	);

ULONG NTAPI RtlNumberGenericTableElementsAvl(
	_In_ PRTL_AVL_TABLE Table
	);

BOOLEAN NTAPI RtlIsGenericTableEmptyAvl(
	_In_ PRTL_AVL_TABLE Table
	);

/*
** Generic Avl END
*/

/*
** Critical Section START
*/
#define LOGICAL ULONG

NTSTATUS NTAPI RtlEnterCriticalSection(
	PRTL_CRITICAL_SECTION CriticalSection
	);

NTSTATUS NTAPI RtlLeaveCriticalSection(
	PRTL_CRITICAL_SECTION CriticalSection
	);

LOGICAL NTAPI RtlIsCriticalSectionLocked(
	IN PRTL_CRITICAL_SECTION CriticalSection
	);

LOGICAL NTAPI RtlIsCriticalSectionLockedByThread(
	IN PRTL_CRITICAL_SECTION CriticalSection
	);

ULONG NTAPI RtlGetCriticalSectionRecursionCount(
	IN PRTL_CRITICAL_SECTION CriticalSection
	);

LOGICAL NTAPI RtlTryEnterCriticalSection(
	PRTL_CRITICAL_SECTION CriticalSection
	);

NTSTATUS NTAPI RtlInitializeCriticalSection(
	PRTL_CRITICAL_SECTION CriticalSection
	);

VOID NTAPI RtlEnableEarlyCriticalSectionEventCreation(
	VOID
	);

NTSTATUS NTAPI RtlInitializeCriticalSectionAndSpinCount(
	PRTL_CRITICAL_SECTION CriticalSection,
	ULONG SpinCount
	);

ULONG NTAPI RtlSetCriticalSectionSpinCount(
	PRTL_CRITICAL_SECTION CriticalSection,
	ULONG SpinCount
	);

NTSTATUS NTAPI RtlDeleteCriticalSection(
	PRTL_CRITICAL_SECTION CriticalSection
	);

/*
** Critical Section END
*/

/*
** UAC Elevation Start
*/

#define DBG_FLAG_ELEVATION_ENABLED 1
#define DBG_FLAG_VIRTUALIZATION_ENABLED 2
#define DBG_FLAG_INSTALLER_DETECT_ENABLED 3

NTSTATUS NTAPI RtlQueryElevationFlags(
    _Inout_ ULONG *ElevationFlags
    );

/*
** UAC Elevation END
*/


/*
*  Memory parition START
*/

typedef enum _MEMORY_PARTITION_INFORMATION_CLASS {
    SystemMemoryPartitionInformation,
    SystemMemoryPartitionMoveMemory,
    SystemMemoryPartitionAddPagefile,
    SystemMemoryPartitionCombineMemory,
    SystemMemoryPartitionInitialAddMemory
} MEMORY_PARTITION_INFORMATION_CLASS;

typedef struct _MEMORY_PARTITION_PAGE_RANGE {
    ULONG_PTR StartPage;
    ULONG_PTR NumberOfPages;
} MEMORY_PARTITION_PAGE_RANGE, *PMEMORY_PARTITION_PAGE_RANGE;

typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION {
    ULONG Flags;
    ULONG NumberOfRanges;
    ULONG_PTR NumberOfPagesAdded;
    MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1];
} MEMORY_PARTITION_INITIAL_ADD_INFORMATION, *PMEMORY_PARTITION_INITIAL_ADD_INFORMATION;

typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION {
    PVOID StopHandle;
    ULONG Flags;
    ULONG_PTR TotalNumberOfPages;
} MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, *PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION;

typedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION {
    UNICODE_STRING PageFileName;
    LARGE_INTEGER MinimumSize;
    LARGE_INTEGER MaximumSize;
    ULONG Flags;
} MEMORY_PARTITION_PAGEFILE_INFORMATION, *PMEMORY_PARTITION_PAGEFILE_INFORMATION;

typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION {
    ULONG_PTR NumberOfPages;
    ULONG NumaNode;
    ULONG Flags;
} MEMORY_PARTITION_TRANSFER_INFORMATION, *PMEMORY_PARTITION_TRANSFER_INFORMATION;

typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION {
    ULONG Flags;
    ULONG NumaNode;
    ULONG Channel;
    ULONG NumberOfNumaNodes;
    ULONG_PTR ResidentAvailablePages;
    ULONG_PTR CommittedPages;
    ULONG_PTR CommitLimit;
    ULONG_PTR PeakCommitment;
    ULONG_PTR TotalNumberOfPages;
    ULONG_PTR AvailablePages;
    ULONG_PTR ZeroPages;
    ULONG_PTR FreePages;
    ULONG_PTR StandbyPages;
} MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION;

NTSTATUS NTAPI NtOpenPartition(
    _Out_ PHANDLE PartitionHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ POBJECT_ATTRIBUTES ObjectAttributes
    );

NTSTATUS NTAPI NtManagePartition(
    _In_ HANDLE TargetHandle,
    _In_ HANDLE SourceHandle,
    _In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass,
    _Inout_ PVOID PartitionInformation,
    _In_ SIZE_T PartitionInformationLength
    );

NTSTATUS NTAPI NtCreatePartition(
    _Out_ PHANDLE PartitionHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
    _In_ ULONG PreferredNode
    );

/*
*  Memory partition END
*/

/*
** Native API START
*/

NTSTATUS NTAPI NtClose(
	_In_ HANDLE Handle
	);

NTSTATUS NTAPI NtCreateDirectoryObject(
    _Out_ PHANDLE DirectoryHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ POBJECT_ATTRIBUTES ObjectAttributes
    );

NTSTATUS NTAPI NtCreateDirectoryObjectEx(
    _Out_ PHANDLE DirectoryHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
    _In_ HANDLE ShadowDirectoryHandle,
    _In_ ULONG Flags
    );

NTSTATUS NTAPI NtOpenDirectoryObject(
    _Out_  PHANDLE				DirectoryHandle,
    _In_   ACCESS_MASK			DesiredAccess,
    _In_   POBJECT_ATTRIBUTES	ObjectAttributes
    );

NTSTATUS NTAPI NtQueryDirectoryObject(
	_In_       HANDLE DirectoryHandle,
	_Out_opt_  PVOID Buffer,
	_In_       ULONG Length,
	_In_       BOOLEAN ReturnSingleEntry,
	_In_       BOOLEAN RestartScan,
	_Inout_    PULONG Context,
	PULONG ReturnLength
	);

NTSTATUS NTAPI NtQueryObject(
	_In_opt_   HANDLE Handle,
	_In_       OBJECT_INFORMATION_CLASS ObjectInformationClass,
	_Out_opt_  PVOID ObjectInformation,
	_In_       ULONG ObjectInformationLength,
	_Out_opt_  PULONG ReturnLength
	);

NTSTATUS WINAPI NtQuerySystemInformation(
	_In_       SYSTEM_INFORMATION_CLASS SystemInformationClass,
	_Inout_    PVOID SystemInformation,
	_In_       ULONG SystemInformationLength,
	_Out_opt_  PULONG ReturnLength
	);

NTSTATUS NTAPI NtSetSystemInformation(
	_In_       SYSTEM_INFORMATION_CLASS SystemInformationClass,
	_In_opt_   PVOID SystemInformation,
	_In_       ULONG SystemInformationLength
	);

NTSTATUS NTAPI NtCreateMutant(
	_Out_		PHANDLE MutantHandle,
	_In_		ACCESS_MASK DesiredAccess,
	_In_opt_	POBJECT_ATTRIBUTES ObjectAttributes,
	_In_		BOOLEAN InitialOwner
	);

NTSTATUS NTAPI NtOpenMutant(
	_Out_	PHANDLE MutantHandle,
	_In_	ACCESS_MASK DesiredAccess,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes
	);

NTSTATUS NTAPI NtQueryMutant(
	_In_		HANDLE MutantHandle,
	_In_		MUTANT_INFORMATION_CLASS MutantInformationClass,
	_Out_		PVOID MutantInformation,
	_In_		ULONG MutantInformationLength,
	_Out_opt_	PULONG ReturnLength
	);

NTSTATUS NTAPI NtReleaseMutant(
	_In_		HANDLE MutantHandle,
	_Out_opt_	PLONG PreviousCount
	);

NTSTATUS NTAPI NtCreateTimer(
	_In_		PHANDLE TimerHandle,
	_In_		ACCESS_MASK DesiredAccess,
	_In_opt_	POBJECT_ATTRIBUTES ObjectAttributes,
	_In_		TIMER_TYPE TimerType
	);

NTSTATUS NtSetTimer(
	_In_		HANDLE TimerHandle,
	_In_		PLARGE_INTEGER DueTime,
	_In_opt_	PTIMER_APC_ROUTINE TimerApcRoutine,
	_In_opt_	PVOID TimerContext,
	_In_		BOOLEAN WakeTimer,
	_In_opt_	LONG Period,
	_Out_opt_	PBOOLEAN PreviousState
	);

NTSTATUS NTAPI NtOpenTimer(
	_In_	PHANDLE TimerHandle,
	_In_	ACCESS_MASK DesiredAccess,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes
	);

NTSTATUS NTAPI NtQueryTimer(
	_In_       HANDLE TimerHandle,
	_In_       TIMER_INFORMATION_CLASS TimerInformationClass,
	_Out_      PVOID TimerInformation,
	_In_       ULONG TimerInformationLength,
	_Out_opt_  PULONG ReturnLength
	);

NTSTATUS NTAPI NtCreateSymbolicLinkObject(
	_Out_   PHANDLE LinkHandle,
	_In_    ACCESS_MASK DesiredAccess,
	_In_    POBJECT_ATTRIBUTES ObjectAttributes,
	_In_    PUNICODE_STRING LinkTarget
	);

NTSTATUS WINAPI NtOpenSymbolicLinkObject(
	_Out_	PHANDLE LinkHandle,
	_In_	ACCESS_MASK DesiredAccess,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes
	);

NTSTATUS NTAPI NtQuerySymbolicLinkObject(
	_In_		HANDLE LinkHandle,
	_Inout_		PUNICODE_STRING LinkTarget,
	_Out_opt_	PULONG  ReturnedLength
	);

NTSTATUS NTAPI NtQuerySemaphore(
	_In_		HANDLE SemaphoreHandle,
	_In_		SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
	_Out_		PVOID SemaphoreInformation,
	_In_		ULONG SemaphoreInformationLength,
	_Out_opt_	PULONG ReturnLength
	);

NTSTATUS NTAPI NtQueryDirectoryFile(
	_In_		HANDLE FileHandle,
	_In_opt_	HANDLE Event,
	_In_opt_	PIO_APC_ROUTINE ApcRoutine,
	_In_opt_	PVOID ApcContext,
	_Out_		PIO_STATUS_BLOCK IoStatusBlock,
	_Out_		PVOID FileInformation,
	_In_		ULONG Length,
	_In_		FILE_INFORMATION_CLASS FileInformationClass,
	_In_		BOOLEAN ReturnSingleEntry,
	_In_opt_	PUNICODE_STRING FileName,
	_In_		BOOLEAN RestartScan
	);

NTSTATUS NTAPI NtNotifyChangeDirectoryFile(
    _In_        HANDLE FileHandle,
    _In_opt_    HANDLE Event,
    _In_opt_    PIO_APC_ROUTINE ApcRoutine,
    _In_opt_    PVOID ApcContext,
    _Out_       PIO_STATUS_BLOCK IoStatusBlock,
    __out_bcount(Length) PVOID Buffer,
    _In_        ULONG Length,
    _In_        ULONG CompletionFilter,
    _In_        BOOLEAN WatchTree
);

NTSTATUS NTAPI NtQuerySection(
	_In_		HANDLE SectionHandle,
	_In_		SECTION_INFORMATION_CLASS SectionInformationClass,
	_Out_		PVOID SectionInformation,
	_In_		SIZE_T SectionInformationLength,
	_Out_opt_	PSIZE_T ReturnLength
	);

NTSTATUS NtOpenSection(
	_Out_	PHANDLE SectionHandle,
	_In_	ACCESS_MASK DesiredAccess,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes
	);

NTSTATUS NTAPI NtCreateSection(
	_Out_		PHANDLE SectionHandle,
	_In_		ACCESS_MASK DesiredAccess,
	_In_opt_	POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_	PLARGE_INTEGER MaximumSize,
	_In_		ULONG SectionPageProtection,
	_In_		ULONG AllocationAttributes,
	_In_opt_	HANDLE FileHandle
	);

NTSTATUS NTAPI NtMapViewOfSection(
	_In_		HANDLE SectionHandle,
	_In_		HANDLE ProcessHandle,
	__inout		PVOID *BaseAddress,
	_In_		ULONG_PTR ZeroBits,
	_In_		SIZE_T CommitSize,
	_Inout_opt_ PLARGE_INTEGER SectionOffset,
	_Inout_		PSIZE_T ViewSize,
	_In_		SECTION_INHERIT InheritDisposition,
	_In_		ULONG AllocationType,
	_In_		ULONG Win32Protect
	);

NTSTATUS NTAPI NtUnmapViewOfSection(
	_In_	HANDLE ProcessHandle,
	_In_	PVOID BaseAddress
    );

NTSTATUS NTAPI NtOpenProcessToken(
    _In_	HANDLE ProcessHandle,
    _In_	ACCESS_MASK DesiredAccess,
    _Out_	PHANDLE TokenHandle
    );

NTSTATUS NTAPI NtDuplicateToken(
    _In_ HANDLE ExistingTokenHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
    _In_ BOOLEAN EffectiveOnly,
    _In_ TOKEN_TYPE TokenType,
    _Out_ PHANDLE NewTokenHandle
    );

#define DISABLE_MAX_PRIVILEGE   0x1 // winnt
#define SANDBOX_INERT           0x2 // winnt
#define LUA_TOKEN               0x4
#define WRITE_RESTRICT          0x8

NTSTATUS NTAPI NtFilterToken(
    _In_ HANDLE ExistingTokenHandle,
    _In_ ULONG Flags,
    _In_opt_ PTOKEN_GROUPS SidsToDisable,
    _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
    _In_opt_ PTOKEN_GROUPS RestrictedSids,
    _Out_ PHANDLE NewTokenHandle
    );

NTSTATUS NTAPI NtImpersonateAnonymousToken(
    _In_ HANDLE ThreadHandle
    );

NTSTATUS NTAPI NtQueryInformationToken(
    _In_ HANDLE TokenHandle,
    _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
    _Out_ PVOID TokenInformation,
    _In_ ULONG TokenInformationLength,
    _Out_ PULONG ReturnLength
    );

NTSTATUS NTAPI NtSetInformationToken(
    _In_ HANDLE TokenHandle,
    _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
    _In_ PVOID TokenInformation,
    _In_ ULONG TokenInformationLength
    );

NTSTATUS NTAPI NtOpenThreadTokenEx(
	_In_       HANDLE ThreadHandle,
	_In_       ACCESS_MASK DesiredAccess,
	_In_       BOOLEAN OpenAsSelf,
	_In_       ULONG HandleAttributes,
	_Out_      PHANDLE TokenHandle
	);

NTSTATUS NTAPI NtAdjustPrivilegesToken(
	_In_		HANDLE TokenHandle,
	_In_		BOOLEAN DisableAllPrivileges,
	_In_opt_	PTOKEN_PRIVILEGES NewState,
	_In_opt_	ULONG BufferLength,
	_Out_opt_	PTOKEN_PRIVILEGES PreviousState,
	_Out_opt_	PULONG ReturnLength
	);

NTSTATUS NTAPI NtQueryInformationToken(
	_In_	HANDLE TokenHandle,
	_In_	TOKEN_INFORMATION_CLASS TokenInformationClass,
	_Out_	PVOID TokenInformation,
	_In_	ULONG TokenInformationLength,
	_Out_	PULONG ReturnLength
	);

NTSTATUS NTAPI NtCreateKey(
    _Out_      PHANDLE KeyHandle,
    _In_       ACCESS_MASK DesiredAccess,
    _In_       POBJECT_ATTRIBUTES ObjectAttributes,
    __reserved ULONG TitleIndex,
    _In_opt_   PUNICODE_STRING Class,
    _In_       ULONG CreateOptions,
    _Out_opt_  PULONG Disposition
    );

NTSTATUS NTAPI NtOpenKey(
	_Out_	PHANDLE KeyHandle,
	_In_	ACCESS_MASK DesiredAccess,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes
	);

NTSTATUS NTAPI NtQueryKey(
	_In_		HANDLE KeyHandle,
	_In_		KEY_INFORMATION_CLASS KeyInformationClass,
	_Out_opt_	PVOID KeyInformation,
	_In_		ULONG Length,
	_Out_		PULONG ResultLength
	);

NTSTATUS NTAPI NtQueryValueKey(
	_In_       HANDLE KeyHandle,
	_In_       PUNICODE_STRING ValueName,
	_In_       KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
	_Out_      PVOID KeyValueInformation,
	_In_       ULONG Length,
	_Out_      PULONG ResultLength
	);

NTSTATUS NTAPI NtSetValueKey(
    _In_     HANDLE KeyHandle,
    _In_     PUNICODE_STRING ValueName,
    _In_opt_ ULONG TitleIndex,
    _In_     ULONG Type,
    _In_     PVOID Data,
    _In_     ULONG DataSize
   );

NTSTATUS NTAPI NtDeleteKey(
	_In_       HANDLE KeyHandle
	);

NTSTATUS NTAPI NtDeleteValueKey(
	_In_       HANDLE KeyHandle,
	_In_       PUNICODE_STRING ValueName
	);

NTSTATUS NTAPI NtLoadDriver(
    _In_ PUNICODE_STRING DriverServiceName
    );

NTSTATUS NTAPI NtUnloadDriver(
    _In_ PUNICODE_STRING DriverServiceName
    );

NTSTATUS NTAPI NtOpenJobObject(
	_Out_	PHANDLE JobHandle,
	_In_	ACCESS_MASK DesiredAccess,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes
	);

NTSTATUS NTAPI NtQueryInformationJobObject(
	_In_opt_	HANDLE JobHandle,
	_In_		JOBOBJECTINFOCLASS JobObjectInformationClass,
	_Out_		PVOID JobObjectInformation,
	_In_		ULONG JobObjectInformationLength,
	_Out_opt_	PULONG ReturnLength
	);

NTSTATUS NTAPI NtOpenIoCompletion(
	_Out_	PHANDLE IoCompletionHandle,
	_In_	ACCESS_MASK DesiredAccess,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes
	);

NTSTATUS NTAPI NtQueryIoCompletion(
	_In_		HANDLE IoCompletionHandle,
	_In_		IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,
	_Out_		PVOID IoCompletionInformation,
	_In_		ULONG IoCompletionInformationLength,
	_Out_opt_	PULONG ReturnLength
	);

NTSTATUS NTAPI NtQueryInformationFile(
	_In_	HANDLE FileHandle,
	_Out_	PIO_STATUS_BLOCK IoStatusBlock,
	_Out_	PVOID FileInformation,
	_In_	ULONG Length,
	_In_	FILE_INFORMATION_CLASS FileInformationClass
	);

NTSTATUS NTAPI NtQueryFullAttributesFile(
    __in    POBJECT_ATTRIBUTES ObjectAttributes,
    __out   PFILE_NETWORK_OPEN_INFORMATION FileInformation
);

NTSTATUS NTAPI NtQueryDirectoryFile(
	_In_      HANDLE FileHandle,
	_In_opt_  HANDLE Event,
	_In_opt_  PIO_APC_ROUTINE ApcRoutine,
	_In_opt_  PVOID ApcContext,
	_Out_     PIO_STATUS_BLOCK IoStatusBlock,
	_Out_     PVOID FileInformation,
	_In_      ULONG Length,
	_In_      FILE_INFORMATION_CLASS FileInformationClass,
	_In_      BOOLEAN ReturnSingleEntry,
	_In_opt_  PUNICODE_STRING FileName,
	_In_      BOOLEAN RestartScan
	);

NTSTATUS NTAPI NtQueryEaFile(
	_In_ HANDLE FileHandle,
	_Out_ PIO_STATUS_BLOCK IoStatusBlock,
	__out_bcount(Length) PVOID Buffer,
	_In_ ULONG Length,
	_In_ BOOLEAN ReturnSingleEntry,
	__in_bcount_opt(EaListLength) PVOID EaList,
	_In_ ULONG EaListLength,
	_In_opt_ PULONG EaIndex,
	_In_ BOOLEAN RestartScan
	);

NTSTATUS NTAPI NtSetEaFile(
	_In_ HANDLE FileHandle,
	_Out_ PIO_STATUS_BLOCK IoStatusBlock,
	__in_bcount(Length) PVOID Buffer,
	_In_ ULONG Length
	);

NTSTATUS NTAPI NtQueryVolumeInformationFile(
	_In_    HANDLE FileHandle,
	_Out_   PIO_STATUS_BLOCK IoStatusBlock,
	_Out_   PVOID FsInformation,
	_In_    ULONG Length,
	_In_    FS_INFORMATION_CLASS FsInformationClass
	);

NTSTATUS NTAPI NtOpenFile(
	_Out_	PHANDLE FileHandle,
	_In_	ACCESS_MASK DesiredAccess,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes,
	_Out_	PIO_STATUS_BLOCK IoStatusBlock,
	_In_	ULONG ShareAccess,
	_In_	ULONG OpenOptions
	);

NTSTATUS NTAPI NtReadFile(
	_In_     HANDLE FileHandle,
	_In_opt_ HANDLE Event,
	_In_opt_ PIO_APC_ROUTINE ApcRoutine,
	_In_opt_ PVOID ApcContext,
	_Out_    PIO_STATUS_BLOCK IoStatusBlock,
	__out_bcount(Length) PVOID Buffer,
	_In_     ULONG Length,
	_In_opt_ PLARGE_INTEGER ByteOffset,
	_In_opt_ PULONG Key
	);

NTSTATUS NTAPI NtWriteFile(
	_In_ HANDLE FileHandle,
	_In_opt_ HANDLE Event,
	_In_opt_ PIO_APC_ROUTINE ApcRoutine,
	_In_opt_ PVOID ApcContext,
	_Out_ PIO_STATUS_BLOCK IoStatusBlock,
	_In_ PVOID Buffer,
	_In_ ULONG Length,
	_In_opt_ PLARGE_INTEGER ByteOffset,
	_In_opt_ PULONG Key
	);

NTSTATUS NTAPI NtFlushBuffersFile(
	_In_ HANDLE FileHandle,
	_Out_ PIO_STATUS_BLOCK IoStatusBlock
	);

NTSTATUS NTAPI NtSetInformationFile(
	_In_ HANDLE FileHandle,
	_Out_ PIO_STATUS_BLOCK IoStatusBlock,
	__in_bcount(Length) PVOID FileInformation,
	_In_ ULONG Length,
	_In_ FILE_INFORMATION_CLASS FileInformationClass
	);

NTSTATUS NTAPI NtDeleteFile(
	_In_ POBJECT_ATTRIBUTES ObjectAttributes
	);

NTSTATUS NTAPI NtOpenEvent(
	_Out_	PHANDLE EventHandle,
	_In_	ACCESS_MASK DesiredAccess,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes
	);

NTSTATUS NTAPI NtOpenKeyedEvent(
	_Out_	PHANDLE KeyedEventHandle,
	_In_	ACCESS_MASK DesiredAccess,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes
	);

NTSTATUS NTAPI NtOpenSemaphore(
	_Out_	PHANDLE SemaphoreHandle,
	_In_	ACCESS_MASK DesiredAccess,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes
	);

NTSTATUS NTAPI NtQueryEvent(
	_In_		HANDLE EventHandle,
	_In_		EVENT_INFORMATION_CLASS EventInformationClass,
	_Out_		PVOID EventInformation,
	_In_		ULONG EventInformationLength,
	_Out_opt_	PULONG ReturnLength
	);

NTSTATUS NTAPI NtOpenEventPair(
	_Out_	PHANDLE EventPairHandle,
	_In_	ACCESS_MASK DesiredAccess,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes
	);

//TmTx
NTSTATUS NTAPI NtCreateTransaction(
	_Out_     PHANDLE TransactionHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_opt_  POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_  LPGUID Uow,
	_In_opt_  HANDLE TmHandle,
	_In_opt_  ULONG CreateOptions,
	_In_opt_  ULONG IsolationLevel,
	_In_opt_  ULONG IsolationFlags,
	_In_opt_  PLARGE_INTEGER Timeout,
	_In_opt_  PUNICODE_STRING Description
	);

NTSTATUS NTAPI NtRollbackTransaction(
    _In_ HANDLE  TransactionHandle,
    _In_ BOOLEAN Wait);

//TmRm
NTSTATUS NTAPI NtCreateResourceManager(
	_Out_     PHANDLE ResourceManagerHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_      HANDLE TmHandle,
	_In_opt_  LPGUID ResourceManagerGuid,
	_In_opt_  POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_  ULONG CreateOptions,
	_In_opt_  PUNICODE_STRING Description
	);

//TmEn
NTSTATUS NTAPI NtCreateEnlistment(
	_Out_     PHANDLE EnlistmentHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_      HANDLE ResourceManagerHandle,
	_In_      HANDLE TransactionHandle,
	_In_opt_  POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_  ULONG CreateOptions,
	_In_      NOTIFICATION_MASK NotificationMask,
	_In_opt_  PVOID EnlistmentKey
	);

//TmTm
NTSTATUS NTAPI NtCreateTransactionManager(
	_Out_     PHANDLE TmHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_opt_  POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_  PUNICODE_STRING LogFileName,
	_In_opt_  ULONG CreateOptions,
	_In_opt_  ULONG CommitStrength
	);

NTSTATUS NTAPI NtCreateFile(
	_Out_		PHANDLE FileHandle,
	_In_		ACCESS_MASK DesiredAccess,
	_In_		POBJECT_ATTRIBUTES ObjectAttributes,
	_Out_		PIO_STATUS_BLOCK IoStatusBlock,
	_In_opt_	PLARGE_INTEGER AllocationSize,
	_In_		ULONG FileAttributes,
	_In_		ULONG ShareAccess,
	_In_		ULONG CreateDisposition,
	_In_		ULONG CreateOptions,
	_In_opt_	PVOID EaBuffer,
	_In_		ULONG EaLength
	);

NTSTATUS NTAPI NtDeviceIoControlFile(
    _In_  HANDLE           FileHandle,
    _In_  HANDLE           Event,
    _In_  PIO_APC_ROUTINE  ApcRoutine,
    _In_  PVOID            ApcContext,
    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
    _In_  ULONG            IoControlCode,
    _In_  PVOID            InputBuffer,
    _In_  ULONG            InputBufferLength,
    _Out_ PVOID            OutputBuffer,
    _In_  ULONG            OutputBufferLength
    );

NTSTATUS NTAPI NtFsControlFile(
    _In_      HANDLE           FileHandle,
    _In_opt_  HANDLE           Event,
    _In_opt_  PIO_APC_ROUTINE  ApcRoutine,
    _In_opt_  PVOID            ApcContext,
    _Out_     PIO_STATUS_BLOCK IoStatusBlock,
    _In_      ULONG            FsControlCode,
    _In_opt_  PVOID            InputBuffer,
    _In_      ULONG            InputBufferLength,
    _Out_opt_ PVOID            OutputBuffer,
    _In_      ULONG            OutputBufferLength
    );

NTSTATUS NTAPI NtCreateUserProcess(
    _Out_ PHANDLE ProcessHandle,
    _Out_ PHANDLE ThreadHandle,
    _In_ ACCESS_MASK ProcessDesiredAccess,
    _In_ ACCESS_MASK ThreadDesiredAccess,
    _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
    _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
    _In_ ULONG ProcessFlags,
    _In_ ULONG ThreadFlags, 
    _In_opt_ PVOID ProcessParameters, 
    _Inout_ PPS_CREATE_INFO CreateInfo,
    _In_opt_ PPS_ATTRIBUTE_LIST AttributeList
    );

NTSTATUS NTAPI NtOpenProcess(
	_Out_		PHANDLE ProcessHandle,
	_In_		ACCESS_MASK DesiredAccess,
	_In_		POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_	PCLIENT_ID ClientId
	);

NTSTATUS NTAPI NtTerminateProcess(
	_In_opt_	HANDLE ProcessHandle,
	_In_		NTSTATUS ExitStatus
	);

NTSTATUS NTAPI NtSuspendProcess(
	_In_        HANDLE ProcessHandle
	);

NTSTATUS NTAPI NtResumeProcess(
	_In_        HANDLE ProcessHandle
	);

NTSTATUS NTAPI NtSuspendThread(
	_In_		HANDLE ThreadHandle,
	_Out_opt_	PULONG PreviousSuspendCount
	);

NTSTATUS NTAPI NtResumeThread(
	_In_		HANDLE ThreadHandle,
	_Out_opt_	PULONG PreviousSuspendCount
	);

NTSTATUS NTAPI NtOpenThread(
	_Out_       PHANDLE ThreadHandle,
	_In_        ACCESS_MASK DesiredAccess,
	_In_        POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_    PCLIENT_ID ClientId
	);

NTSTATUS NTAPI NtTerminateThread(
	_In_opt_    HANDLE ThreadHandle,
	_In_        NTSTATUS ExitStatus
	);

NTSTATUS NTAPI NtImpersonateThread(
	_In_        HANDLE ServerThreadHandle,
	_In_        HANDLE ClientThreadHandle,
	_In_        PSECURITY_QUALITY_OF_SERVICE SecurityQos
	);

NTSTATUS NTAPI NtSetContextThread(
	_In_        HANDLE ThreadHandle,
	_In_        PCONTEXT ThreadContext
	);

NTSTATUS NTAPI NtGetContextThread(
	_In_        HANDLE ThreadHandle,
	_Inout_     PCONTEXT ThreadContext
	);

NTSTATUS NTAPI NtQueryInformationThread(
	_In_       HANDLE ThreadHandle,
	_In_       THREADINFOCLASS ThreadInformationClass,
	_Out_      PVOID ThreadInformation,
	_In_       ULONG ThreadInformationLength,
	_Out_opt_  PULONG ReturnLength
	);

NTSTATUS NTAPI NtSetInformationThread(
	_In_       HANDLE ThreadHandle,
	_In_       THREADINFOCLASS ThreadInformationClass,
	_In_       PVOID ThreadInformation,
	_In_       ULONG ThreadInformationLength
	);

NTSTATUS NTAPI NtQueryInformationProcess(
	_In_		HANDLE ProcessHandle,
	_In_		PROCESSINFOCLASS ProcessInformationClass,
	_Out_		PVOID ProcessInformation,
	_In_		ULONG ProcessInformationLength,
	_Out_opt_	PULONG ReturnLength
	);

NTSTATUS NTAPI NtSetInformationProcess(
    _In_        HANDLE ProcessHandle,
    _In_        PROCESSINFOCLASS ProcessInformationClass,
    _In_count_(ProcessInformationLength) PVOID ProcessInformation,
    _In_        ULONG ProcessInformationLength
    );

NTSTATUS NTAPI NtDuplicateObject(
	_In_		HANDLE SourceProcessHandle,
	_In_		HANDLE SourceHandle,
	_In_opt_	HANDLE TargetProcessHandle,
	_Out_		PHANDLE TargetHandle,
	_In_		ACCESS_MASK DesiredAccess,
	_In_		ULONG HandleAttributes,
	_In_		ULONG Options
	);

NTSTATUS NTAPI NtSetSecurityObject(
	_In_	HANDLE Handle,
	_In_	SECURITY_INFORMATION SecurityInformation,
	_In_	PSECURITY_DESCRIPTOR SecurityDescriptor
	);

NTSTATUS NTAPI NtQuerySecurityObject(
	_In_	HANDLE Handle,
	_In_	SECURITY_INFORMATION SecurityInformation,
	_Out_	PSECURITY_DESCRIPTOR SecurityDescriptor,
	_In_	ULONG Length,
	_Out_	PULONG LengthNeeded
	);

NTSTATUS NTAPI NtQueryLicenseValue(
    _In_ PUNICODE_STRING ValueName,
    _Out_opt_ PULONG Type,
    _Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data,
    _In_ ULONG DataSize,
    _Out_ PULONG ResultDataSize
);

NTSTATUS NtCreateIoCompletion(
	_Out_		PHANDLE IoCompletionHandle,
	_In_		ACCESS_MASK DesiredAccess,
	_In_opt_	POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_	ULONG Count
	);

NTSTATUS NTAPI NtCreateEvent(
	_Out_		PHANDLE EventHandle,
	_In_		ACCESS_MASK DesiredAccess,
	_In_opt_	POBJECT_ATTRIBUTES ObjectAttributes,
	_In_		EVENT_TYPE EventType,
	_In_		BOOLEAN InitialState
	);

NTSTATUS NTAPI NtSetEvent(
    _In_        HANDLE EventHandle,
    _Out_opt_   PLONG PreviousState
    );

NTSTATUS NTAPI NtAllocateVirtualMemory(
	_In_        HANDLE ProcessHandle,
	_Inout_     PVOID *BaseAddress,
	_In_        ULONG_PTR ZeroBits,
	_Inout_     PSIZE_T RegionSize,
	_In_        ULONG AllocationType,
	_In_        ULONG Protect
	);

NTSTATUS NTAPI NtFreeVirtualMemory(
	_In_       HANDLE ProcessHandle,
	_Inout_    PVOID *BaseAddress,
	_Inout_    PSIZE_T RegionSize,
	_In_       ULONG FreeType
	);

NTSTATUS NTAPI NtQueryVirtualMemory(
	_In_		HANDLE ProcessHandle,
	_In_		PVOID BaseAddress,
	_In_		MEMORY_INFORMATION_CLASS MemoryInformationClass,
	_Out_		PVOID MemoryInformation,
	_In_		SIZE_T MemoryInformationLength,
	_Out_opt_	PSIZE_T ReturnLength
	);

NTSTATUS NTAPI NtReadVirtualMemory(
	_In_		HANDLE ProcessHandle,
	_In_opt_	PVOID BaseAddress,
	_Out_		PVOID Buffer,
	_In_		SIZE_T BufferSize,
	_Out_opt_	PSIZE_T NumberOfBytesRead
	);

NTSTATUS NTAPI NtWriteVirtualMemory(
	_In_        HANDLE ProcessHandle,
	_In_opt_    PVOID BaseAddress,
	_In_        VOID *Buffer,
	_In_        SIZE_T BufferSize,
	_Out_opt_   PSIZE_T NumberOfBytesWritten
	);

NTSTATUS NTAPI NtProtectVirtualMemory(
	_In_        HANDLE ProcessHandle,
	_Inout_     PVOID *BaseAddress,
	_Inout_     PSIZE_T RegionSize,
	_In_        ULONG NewProtect,
	_Out_       PULONG OldProtect
	);

NTSTATUS NTAPI NtEnumerateKey(
	_In_		HANDLE KeyHandle,
	_In_		ULONG Index,
	_In_		KEY_INFORMATION_CLASS KeyInformationClass,
	_Out_opt_	PVOID KeyInformation,
	_In_		ULONG Length,
	_Out_		PULONG ResultLength
	);

NTSTATUS NTAPI NtCreatePort(
	_Out_	PHANDLE PortHandle,
	_In_	POBJECT_ATTRIBUTES ObjectAttributes,
	_In_	ULONG MaxConnectionInfoLength,
	_In_	ULONG MaxMessageLength,
	_In_	ULONG MaxPoolUsage
	);

NTSTATUS NTAPI NtCompleteConnectPort(
	_In_	HANDLE PortHandle
	);

NTSTATUS NTAPI NtListenPort(
	_In_	HANDLE PortHandle,
	_Out_	PPORT_MESSAGE ConnectionRequest
	);

NTSTATUS NTAPI NtReplyPort(
	_In_	HANDLE PortHandle,
	_In_	PPORT_MESSAGE ReplyMessage
	);

NTSTATUS NTAPI NtReplyWaitReplyPort(
	_In_	HANDLE PortHandle,
	_Inout_	PPORT_MESSAGE ReplyMessage
	);

NTSTATUS NTAPI NtRequestPort(
	_In_	HANDLE PortHandle,
	_In_	PPORT_MESSAGE RequestMessage
	);

NTSTATUS NTAPI NtRequestWaitReplyPort(
	_In_	HANDLE PortHandle,
	_In_	PPORT_MESSAGE RequestMessage,
	_Out_	PPORT_MESSAGE ReplyMessage
	);

NTSTATUS NTAPI NtClosePort(
	_In_	HANDLE PortHandle
	);

NTSTATUS NTAPI NtReplyWaitReceivePort(
	_In_		HANDLE PortHandle,
	_Out_opt_	PVOID *PortContext,
	_In_opt_	PPORT_MESSAGE ReplyMessage,
	_Out_		PPORT_MESSAGE ReceiveMessage
	);

NTSTATUS NTAPI NtWriteRequestData(
	_In_		HANDLE PortHandle,
	_In_		PPORT_MESSAGE Message,
	_In_		ULONG DataEntryIndex,
	_In_		PVOID Buffer,
	_In_		ULONG BufferSize,
	_Out_opt_	PULONG NumberOfBytesWritten
	);

NTSTATUS NTAPI NtReadRequestData(
	_In_		HANDLE PortHandle,
	_In_		PPORT_MESSAGE Message,
	_In_		ULONG DataEntryIndex,
	_Out_		PVOID Buffer,
	_In_		ULONG BufferSize,
	_Out_opt_	PULONG NumberOfBytesRead
	);

NTSTATUS NTAPI NtConnectPort(
	_Out_			PHANDLE PortHandle,
	_In_			PUNICODE_STRING PortName,
	_In_			PSECURITY_QUALITY_OF_SERVICE SecurityQos,
	_Inout_opt_		PPORT_VIEW ClientView,
	_Out_opt_		PREMOTE_PORT_VIEW ServerView,
	_Out_opt_		PULONG MaxMessageLength,
	_Inout_opt_		PVOID ConnectionInformation,
	_Inout_opt_		PULONG ConnectionInformationLength
	);

NTSTATUS NTAPI NtAcceptConnectPort(
	_Out_			PHANDLE PortHandle,
	_In_opt_		PVOID PortContext,
	_In_			PPORT_MESSAGE ConnectionRequest,
	_In_			BOOLEAN AcceptConnection,
	_Inout_opt_		PPORT_VIEW ServerView,
	_Out_opt_		PREMOTE_PORT_VIEW ClientView);

typedef
VOID
(*PPS_APC_ROUTINE) (
	_In_opt_ PVOID ApcArgument1,
	_In_opt_ PVOID ApcArgument2,
	_In_opt_ PVOID ApcArgument3);

NTSTATUS NTAPI NtQueueApcThread(
	_In_ HANDLE ThreadHandle,
	_In_ PPS_APC_ROUTINE ApcRoutine,
	_In_opt_ PVOID ApcArgument1,
	_In_opt_ PVOID ApcArgument2,
	_In_opt_ PVOID ApcArgument3);

NTSTATUS NTAPI NtWaitForSingleObject(
	_In_ HANDLE Handle,
	_In_ BOOLEAN Alertable,
	_In_opt_ PLARGE_INTEGER Timeout);

NTSTATUS NTAPI NtYieldExecution(
    VOID);

NTSTATUS NTAPI NtCreateMailslotFile(
    _Out_ PHANDLE FileHandle,
    _In_ ULONG DesiredAccess,
    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
    _In_ ULONG CreateOptions,
    _In_ ULONG MailslotQuota,
    _In_ ULONG MaximumMessageSize,
    _In_ PLARGE_INTEGER ReadTimeout);

NTSTATUS NTAPI NtSecureConnectPort(
    _Out_ PHANDLE PortHandle,
    _In_ PUNICODE_STRING PortName,
    _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,
    _Inout_opt_ PPORT_VIEW ClientView,
    _In_opt_ PSID RequiredServerSid,
    _Inout_opt_ PREMOTE_PORT_VIEW ServerView,
    _Out_opt_ PULONG MaxMessageLength,
    _Inout_opt_ PVOID ConnectionInformation,
    _Inout_opt_ PULONG ConnectionInformationLength);

NTSTATUS NTAPI NtEnumerateBootEntries(
    _Out_ PVOID Buffer,
    _Inout_ PULONG BufferLength);

NTSTATUS NTAPI NtPrivilegeCheck(
    _In_ HANDLE ClientToken,
    _Inout_ PPRIVILEGE_SET RequiredPrivileges,
    _Out_ PBOOLEAN Result
    );

NTSTATUS NTAPI NtCreateProcessEx(
    _Out_    PHANDLE ProcessHandle,
    _In_     ACCESS_MASK DesiredAccess,
    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
    _In_     HANDLE ParentProcess,
    _In_     ULONG Flags,
    _In_opt_ HANDLE SectionHandle,
    _In_opt_ HANDLE DebugPort,
    _In_opt_ HANDLE ExceptionPort,
    _In_     BOOLEAN InJob);

NTSTATUS NTAPI NtCreateThreadEx(
    _Out_ PHANDLE hThread,
    _In_  ACCESS_MASK DesiredAccess,
    _In_  LPVOID ObjectAttributes,
    _In_  HANDLE ProcessHandle,
    _In_  LPTHREAD_START_ROUTINE lpStartAddress,
    _In_  LPVOID lpParameter,
    _In_  BOOL CreateSuspended,
    _In_  DWORD StackZeroBits,
    _In_  DWORD SizeOfStackCommit,
    _In_  DWORD SizeOfStackReserve,
    _Out_ LPVOID lpBytesBuffer);

